[cryptography] Let's go back to the beginning on this

Andy Steingruebl andy at steingruebl.com
Thu Sep 15 11:22:12 EDT 2011

On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor <arshad.noor at strongauth.com> wrote:
> However, an RP must assess this risk before trusting a self-signed
> Root CA's certificate.  If you believe there is uncertainty, then
> don't trust the Root CA.  Delete their certificate from your browser
> and other applications, effectively removing all risk from that CA
> and its subordinates from your computer.  Or, choose not to do
> significant business over the internet when you see their certificate
> on a site - you always have the choice.

1. You don't really always have a choice.  Many devices such as
smartphones don't allow you to edit the trust-store.
2. Not everything that uses TLS has a user interface to the TLS
connection information, information about the CA, cert-chain, etc.
For example, most/all email clients that do IMAPS don't let you even
see who the CA is, set rules, modify the keystore, etc.

Not everything online is a web browser, and some good chunk of the
problem we have here can't be even partially mitigated even by experts
because the software doesn't have those controls, even when it is a
web browser.  Please go ahead and examine the CA and cert-chain when
you are using HTTPS within mobile safari :)

- Andy

More information about the cryptography mailing list