China Internet Network Information Center accepted as a Mozilla root CA
Posted Feb 2, 2010 22:37 UTC (Tue) by dkg
In reply to: China Internet Network Information Center accepted as a Mozilla root CA
Parent article: China Internet Network Information Center accepted as a Mozilla root CA
I agree that this article's focus solely on China is probably a form of short-sighted xenophobia, and that there are many other dubious entities we should also be skeptical about.
But that doesn't mean we shouldn't be skeptical of CNNIC's inclusion. It means we should also be skeptical of the existing CAs that we're all implicitly "trusting" thanks to the vendors/distributors of our browsers (and other tools).
Debian's ca-certificates includes the Brazilian government's CA, for example. And the majority of the CAs included by default in Mozilla are subject to US Government jurisdiction and pressure. We should be securing our communications based on interpersonal networks of trust, not relying on these monolithic, unaccountable CAs.
Unfortunately, the single-issuer nature of X.509 certificates creates a structural bias toward centralization of authority, which is neither socially beneficial nor secure for the end user.
What we need is more work on projects like monkeysphere (i'm one of the developers), which looks to supplant existing PKIs (including X.509) with the distributed, de-centralized Web of Trust offered by OpenPGP.
The more communications security is in the hands of the end users, with tools that are intelligible to end users, the more we can reject these abusive (or at least easily abused) centralized authorities.
to post comments)