Should Mozilla Trust A Chinese CA?

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Feb 18, 2010.

  1. I’ve wondered before whether all CAs should be considered equally
    trustworthy or not
    <http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca>.

    I think a likely solution is to let you assign different trust levels to the
    different CA certs you have installed. Then a site’s SSL cert can cause a
    different colour code to appear in the address bar, depending on the
    trustworthiness of the CA that signed it.
     
    Lawrence D'Oliveiro, Feb 18, 2010
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    Richard Guest

    Lawrence D'Oliveiro wrote:
    > I’ve wondered before whether all CAs should be considered equally
    > trustworthy or not
    > <http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca>.
    >
    > I think a likely solution is to let you assign different trust levels to the
    > different CA certs you have installed. Then a site’s SSL cert can cause a
    > different colour code to appear in the address bar, depending on the
    > trustworthiness of the CA that signed it.


    I dont like the idea of any CA being trusted by default.
     
    Richard, Feb 18, 2010
    #2
    1. Advertising

  3. In message <hlj4b1$6ce$>, Richard wrote:

    > I dont like the idea of any CA being trusted by default.


    If you’re using a browser, then you’re already doing it.

    In Firefox/Iceweasel, go to Preferences, click the “Advanced†icon, then the
    “Encryption†tab, and under that the “View Certificates†button. In the
    dialog that opens, click the “Authorities†tab.

    Those are all the CA certificates you’re trusing by default—about a hundred
    of them.
     
    Lawrence D'Oliveiro, Feb 18, 2010
    #3
  4. Lawrence D'Oliveiro

    Simon Guest

    On Feb 18, 11:10 pm, Lawrence D'Oliveiro <l...@geek-
    central.gen.new_zealand> wrote:
    > I’ve wondered before whether all CAs should be considered equally
    > trustworthy or not
    > <http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-...>.
    >
    > I think a likely solution is to let you assign different trust levels to the
    > different CA certs you have installed. Then a site’s SSL cert can cause a
    > different colour code to appear in the address bar, depending on the
    > trustworthiness of the CA that signed it.


    While this is an interesting idea, I'm not sure that this would work
    well for the average computer user. Mind you they'll probably just
    click through the cert installation and all warning dialogues anyway,
    so perhaps this won't be aimed at them.
     
    Simon, Feb 18, 2010
    #4
  5. In message <>, Simon wrote:

    > On Feb 18, 11:10 pm, Lawrence D'Oliveiro <_zealand> wrote:
    >
    >> I’ve wondered before whether all CAs should be considered equally
    >> trustworthy or not
    >> <http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca>.
    >>
    >> I think a likely solution is to let you assign different trust levels to
    >> the different CA certs you have installed. Then a site’s SSL cert can
    >> cause a different colour code to appear in the address bar, depending on
    >> the trustworthiness of the CA that signed it.

    >
    > While this is an interesting idea, I'm not sure that this would work
    > well for the average computer user. Mind you they'll probably just
    > click through the cert installation and all warning dialogues anyway,
    > so perhaps this won't be aimed at them.


    For this reason, I think the default setting should be, as perverse as it
    sounds, “trust everythingâ€.
     
    Lawrence D'Oliveiro, Feb 18, 2010
    #5
  6. Lawrence D'Oliveiro

    Richard Guest

    Lawrence D'Oliveiro wrote:
    > In message <hlj4b1$6ce$>, Richard wrote:
    >
    >> I dont like the idea of any CA being trusted by default.

    >
    > If you’re using a browser, then you’re already doing it.
    >
    > In Firefox/Iceweasel, go to Preferences, click the “Advanced†icon, then the
    > “Encryption†tab, and under that the “View Certificates†button. In the
    > dialog that opens, click the “Authorities†tab.
    >
    > Those are all the CA certificates you’re trusing by default—about a hundred
    > of them.


    I know, its quite worrying, and worse that more trust is shown with some
    of them.
     
    Richard, Feb 19, 2010
    #6
  7. In message <hllmb4$bn7$>, Richard wrote:

    > I know, its quite worrying, and worse that more trust is shown with some
    > of them.


    There’s some thoughtful discussion of the issues here
    <http://www.freedom-to-tinker.com/blog/sjs/web-security-trust-models>. Would
    you prefer a web-of-trust or hiearchical-and-delegated model instead?
     
    Lawrence D'Oliveiro, Feb 23, 2010
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TGVl?=

    Trust certificate window

    =?Utf-8?B?TGVl?=, Feb 1, 2005, in forum: Microsoft Certification
    Replies:
    0
    Views:
    426
    =?Utf-8?B?TGVl?=
    Feb 1, 2005
  2. zher
    Replies:
    2
    Views:
    437
    Brad Reese
    Nov 20, 2004
  3. Charlie
    Replies:
    8
    Views:
    448
    Charlie
    Dec 2, 2003
  4. biggeorge

    Should I trust these online Camera shopping?

    biggeorge, Apr 20, 2005, in forum: Digital Photography
    Replies:
    13
    Views:
    549
    Randy Berbaum
    Apr 23, 2005
  5. Patrick Dunford
    Replies:
    3
    Views:
    617
    Ralph Fox
    Apr 28, 2004
Loading...

Share This Page