Bill Crawford wrote:
On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote:
On Mon, Mar 30, 2009 at 13:46:02 -0400,
Todd Denniston <Todd.Denniston@xxxxxxxxxxxxxxxxxx> wrote:
i.e., sure all the root CA's that the browser producers want to include
can come in, but they should have trust DBs that allow each user to tick:
* Never trust this key. (and by extension anything it has signed. Perhaps
with a pop up indicating 'the sig is ok, according to bla, but bla is a
known idiot.')
* Marginal trust. (pop up something saying 'the sig is ok, according to
bla, but you are uncomfortable with bla.')
* Fully trust. (operate as CA's in web browsers since they started
getting CA's.)
And by default (as released by the browser producers) the keys should be
set to either Never or Marginal.
I'd rather see more of a web of trust type model. Right now you can only
have one chain of certificates. So you can't have a cert signed by multiple
roots.
Ought to be possible for people to visit companies' offices and sign their keys,
and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that
should be done, in practice, though.
Difficult at best, who wants to trust a faceless corporation? Not to be
cynical but you might trust the receptionist but what about the IT dept?
Are they competent? Money is no guarantee of anything, in fact the
larger the company the more likely they will let something slip through
the cracks. Companies all say they are secure and trustworthy, but who
is hiring these people? Are their background checks? Should there be?
Probably they outsource that and then you have to see if you can trust
that company too. The main problem is that so much gets outsourced so
dept head A doesn't have to worry about it but who is checking that this
other company is doing it right? Its an endless cycle of paranoia.
--
"Any fool can know. The point is to understand" --Albert Einstein
Bored??
http://fiction.wikia.com/wiki/Fuqwit1.0
http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines