On Thu, Apr 24, 2014 at 12:57:36PM +0000, Michael Wojcik wrote: [snip] > > How and why do you trust any root certs? Generally they're built-in to your > > OS or your browser, so you're just blindly trusting that those guys know > > what > > they're doing. > > And they don't, and they don't care that they don't. The SSL/TLS > X.509-with-well-known-CAs PKI is fundamentally broken and frequently > compromised. But there's little we can do about it, so we pretend it isn't.
Well, there certainly is something we can do about it, but you won't
like it any more than I do:
1. Empty all of your trust stores.
2. Add the cert.s of all CAs you already trust (if any) to your
trust stores.
3. Investigate each CA you don't yet trust. As you come to trust
one, add it to your trust stores.
4. Pay attention to the CAs you trust, and evict any that seem to
have declined to a degree that worries you.
5. Goto 3.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
