Using root CAs as a trusted 3rd party

Milo gnupg at oneiroi.net
Mon Jan 23 16:44:42 CET 2012


On 01/23/2012 03:24 PM, Mark H. Wood wrote:
> On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote:
>
> (...)
> 
> I guess that the lesson is:  don't assume.  Find out for yourself
> whether a CA is worthy of your trust, before trusting.

Well, that could be a big challenge. In addition consider those:

http://petsymposium.org/2010/papers/hotpets10-Soghoian.pdf
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
https://bugzilla.mozilla.org/show_bug.cgi?id=682956
http://www.f-secure.com/weblog/archives/00002128.html
https://blog.torproject.org/blog/diginotar-damage-disclosure
http://www.links.org/?p=1196

... And many, many more examples. There were discussions about x509 and
CA's credibility or ability to perform their tasks. Not much to add here
I think.

-- 
Regards,
Milo



More information about the Gnupg-users mailing list