[Discuss] root CA bloat
Edward Ned Harvey (blu)
blu at nedharvey.com
Sun Nov 23 11:31:44 EST 2014
> From: Tom Metro [mailto:tmetro+blu at gmail.com]
>
> I think what would be practical is not eliminating all the obscure CAs,
> but having the cert validation area on the address bar show orange or
> yellow or something to indicate that a valid cert was found, but that it
> was issued by a less known provider,
I would be in favor of eliminating the Chinese government from the CA list.
The color indicator indicating "how much" I trust some particular CA isn't practical, but the problem extends a little further - There are class 1 and class 2 certs, and higher, but of course there's no differentiation client-side. It's simply "Ok" or "Not Ok." So the question of "how much I trust" some particular cert is an interesting question - extending not just to which CA issued the cert, but other factors as well, including the class of the cert, the cipherspec, key strength, etc.
It would be interesting to come up with some meaningful indicator or behavioral difference client-side, based on level of trust for a given cert.
More information about the Discuss
mailing list