[Discuss] root CA bloat

[tmetro+blu at gmail.com (Tom Metro)]

Edward Ned Harvey (blu) wrote:
> Look at the list of CA's on Mozilla's list, and look at their process
> for accepting CA's (and read that link about Honest Achmed, which is
> hilarious https://bugzilla.mozilla.org/show_bug.cgi?id=647959 )

Heh. It's a joke application to add a root certificate for "Honest
Achmed's Used Cars and Certificates", which includes this:

  Achmed's business plan is to sell a sufficiently large number of
  certificates as quickly as possible in order to become too big to fail
  (see "regulatory capture"), at which point most of the rest of this
  application will become irrelevant.

(The ticket was marked "resolved invalid.")


> Mozilla and Apple are basically the sluts of CA's.  They take any
> damn thing from anybody.

Has anyone created an extension for Firefox that trims down the cert
list to something like the top 50 cert providers?

I think what would be practical is not eliminating all the obscure CAs,
but having the cert validation area on the address bar show orange or
yellow or something to indicate that a valid cert was found, but that it
was issued by a less known provider, so if you are connection to your
US-based bank, or Amazon, or Google and you see this this, then you
should be cautious.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/