On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor <arshad.n...@strongauth.com> wrote: > > However, an RP must assess this risk before trusting a self-signed > Root CA's certificate. If you believe there is uncertainty, then > don't trust the Root CA. Delete their certificate from your browser > and other applications, effectively removing all risk from that CA > and its subordinates from your computer. Or, choose not to do > significant business over the internet when you see their certificate > on a site - you always have the choice.
1. You don't really always have a choice. Many devices such as smartphones don't allow you to edit the trust-store. 2. Not everything that uses TLS has a user interface to the TLS connection information, information about the CA, cert-chain, etc. For example, most/all email clients that do IMAPS don't let you even see who the CA is, set rules, modify the keystore, etc. Not everything online is a web browser, and some good chunk of the problem we have here can't be even partially mitigated even by experts because the software doesn't have those controls, even when it is a web browser. Please go ahead and examine the CA and cert-chain when you are using HTTPS within mobile safari :) - Andy _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography