Tim Prepscius writes: > We want to get to a state where an e-mail server is easy to set up. > And runs with *non governmental* issued ssl certificates.
I think this might reflect a misperception of the threat model around misissuance of certificates. If you think governments are likely to use their own CAs for spying by issuing fraudulent certificates, you want to remove trust for those CAs _in your web browser_. Having a valid, correct, and publicly issued certificate from such a CA does not make the CA operator any more able to spy on you. There was a lot of concern when CNNIC became a root CA in mainstream browsers because of the perception that the Chinese government could force CNNIC to misissue certificates to facilitate surveillance. But this risk would be a reason for users not to trust the CNNIC root in their browsers, not directly a reason for sites to avoid getting certs from CNNIC. The cert isn't some kind of poison for private communications that use it, it's just a way of telling browsers that your key is OK to use. If you have a cert that tells browsers that your key is OK to use and the browsers will accept it and you agree with the contents of that cert, the cert is fine for you to use on your site. The risk to me from, say, CNNIC is that even though I use a cert from StartCom, CNNIC will secretly misissue a different cert for my site containing a public key controlled by the Chinese government, and then the government can use that to spy on some users who communicate with my site. The risk is not that I would ask CNNIC's CA for a cert for my site containing my actual public key and that they would say yes and give it to me. :-) -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- Liberationtech is a public list whose archives are searchable on Google. Persistent violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech