On 12/15/09 12:47 PM, Dirk Meyer wrote: > Jonathan Schleifer wrote: >> Peter Saint-Andre <[email protected]> wrote: >> >>> Who said that including CAs is evil? >>> >>> My argument is that policies differ. Just because a lot of people use >>> a particular CA doesn't make it good. >> Deciding on policies is something the user should do, not the client. I >> for example trust something open and transparent like CACert much more >> than some company like VeriSign etc. > > And my sister has no idea what you are talking about, what these CA > things are, why there is a warning, and how she can check these strange > numbers called fingerprint. IMHO clients should include a basic sets of > CAs.
The model in Mozilla, OS X, and other platforms seems satisfactory: they include a common set of CAs but, if you really know what you are doing, you can explicitly signify that you trust CAs outside that set. The latter option is appropriate for geeks, but not for people like your sister. FWIW, I don't think that we need to standardize on CAs within XMPP clients and servers; instead it makes more sense to re-use the certificate bundles provided at the level of the operating system. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
