Hi Ian, ianG wrote: > Nice! Now, if they could package up a plugin or a new root list such > that we could write in 2 lines what busy sysadms had to do, I'd say it > would make a great recommendation. > > What I'm trying to get away from is the notion that we should put a > simply list in the doc and say "oh, and strip these out! You know > how, vi is your friend..." Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy. Experience has to show that, and in that case a lot of the big CAs will fail an evaluation. If you ask me, it's pretty easy, my list of trusted CAs is empty. Automated generation of lists of CAs that are simply unused is just the first step. I think certificate-transparency is a good way to do that, the rest is basically automation. For example: one can provide chef, puppet, ansible recipies for linux and mac clients, a similar solution for windows and mobile devices should also be doable.
Aaron
signature.asc
Description: OpenPGP digital signature
