[cryptography] Let's go back to the beginning on this

Ian G iang at iang.org
Thu Sep 15 13:41:32 EDT 2011

On 16/09/2011, at 1:22, Andy Steingruebl <andy at steingruebl.com> wrote:

> On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor <arshad.noor at strongauth.com> wrote:
>> However, an RP must assess this risk before trusting a self-signed
>> Root CA's certificate.  If you believe there is uncertainty, then
>> don't trust the Root CA.  Delete their certificate from your browser
>> and other applications, effectively removing all risk from that CA
>> and its subordinates from your computer.  Or, choose not to do
>> significant business over the internet when you see their certificate
>> on a site - you always have the choice.
> 1. You don't really always have a choice.  Many devices such as
> smartphones don't allow you to edit the trust-store.

Its far worse, the user has no choice, more or less, for all browsers.

This is deliberate policy by the participants. Vendors have organized (atrophied?) the security user interface to obscure any capability for average users to assess the roots, and have declined any opportunity to pass new reliance responsibilities to users.

CAs have obfuscated the policies and contracts so that users cannot figure it out. This also is industry practice. Technical players have also played their part in denying clear and simple structures.

End result is that in secure browsing, the user cannot assess. Period. Vendors have long recognized thus failure in classical PKI thinking, and have taken on the role for their users: policies, audits, reviews.

In secure browsing, the vendor is the Relying Party, by proxy, on behalf of all users. They don't accept that in public statements, but the pattern of facts is undeniable. Policy, review, UI, tech, it's all there.


More information about the cryptography mailing list