On 9 August 2013 18:16, Seth David Schoen <[email protected]> wrote: > If you think governments are likely to use their own CAs for spying by > issuing fraudulent certificates, you want to remove trust for those > CAs _in your web browser_. Having a valid, correct, and publicly issued > certificate from such a CA does not make the CA operator any more able > to spy on you. > > There was a lot of concern when CNNIC became a root CA in mainstream > browsers because of the perception that the Chinese government could > force CNNIC to misissue certificates to facilitate surveillance. But > this risk would be a reason for users not to trust the CNNIC root in > their browsers, not directly a reason for sites to avoid getting certs > from CNNIC.
While I agree your technical assessment is correct, I do want to note (and you'll probably agree with me) that if you think a CA may misissue/rollover for a government, the (indirect) reasons not to buy from that CA are to a) not give them additional money and b) reduce the number of certs on the internet using that CA, making it ever-so-slightly more possible for browsers will eventually be able to remove it from their trust stores. Aside from StartCom (free) most CAs have roughly the same price and service. Since service is equivalent, you're free to choose a CA based on your political opinion, and not worry about missing out on 'features'. It's basically like voting in an election - elections are won by tens or hundreds of thousands of votes, so it seems like one vote doesn't matter. But it can add up. -tom -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
