Web of Trust (a revolution)
Bruno Wolff III
bruno at wolff.to
Mon Mar 30 19:12:45 UTC 2009
On Mon, Mar 30, 2009 at 13:46:02 -0400,
Todd Denniston <Todd.Denniston at ssa.crane.navy.mil> wrote:
>
> i.e., sure all the root CA's that the browser producers want to include
> can come in, but they should have trust DBs that allow each user to tick:
> * Never trust this key. (and by extension anything it has signed. Perhaps
> with a pop up indicating 'the sig is ok, according to bla, but bla is a
> known idiot.')
> * Marginal trust. (pop up something saying 'the sig is ok, according to
> bla, but you are uncomfortable with bla.')
> * Fully trust. (operate as CA's in web browsers since they started getting CA's.)
>
> And by default (as released by the browser producers) the keys should be
> set to either Never or Marginal.
I'd rather see more of a web of trust type model. Right now you can only have
one chain of certificates. So you can't have a cert signed by multiple
roots.
There is nothing keeping track of the cert you previously saw for a site
(unless you remove all of the CA certs) so that you get warned when it
changes. (At least if the new cert isn't signed by the old one.)
CAs that charge extra in order to sign certs that have flag set to
indicate that they can sign other certs in subdomains should be boycotted.
Sites with self signed certs that prevent passive snooping get treated as the same
as going to a site without ssl and not triggering all sorts of inappropriate
warnings that look scary and make people jump through hoops to bypass them.
More information about the fedora-list
mailing list