Using root CAs as a trusted 3rd party
Milo
gnupg at oneiroi.net
Mon Jan 23 16:44:42 CET 2012
On 01/23/2012 03:24 PM, Mark H. Wood wrote:
> On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote:
>
> (...)
>
> I guess that the lesson is: don't assume. Find out for yourself
> whether a CA is worthy of your trust, before trusting.
Well, that could be a big challenge. In addition consider those:
http://petsymposium.org/2010/papers/hotpets10-Soghoian.pdf
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
https://bugzilla.mozilla.org/show_bug.cgi?id=682956
http://www.f-secure.com/weblog/archives/00002128.html
https://blog.torproject.org/blog/diginotar-damage-disclosure
http://www.links.org/?p=1196
... And many, many more examples. There were discussions about x509 and
CA's credibility or ability to perform their tasks. Not much to add here
I think.
--
Regards,
Milo
More information about the Gnupg-users
mailing list