So many trusted authorities [LWN.net]

So many trusted authorities

Posted Feb 4, 2010 9:41 UTC (Thu) by dgm (subscriber, #49227)
Parent article: Mozilla and CNNIC

As an exercise, I spent two minutes reviewing all the CA in my Firefox. The amount of trusted authorities about whose I know nothing -and I mean absolutely nothing- is just scary.
Shouldn't the user be more involved in the parties his browser trusts?

(Log in to post comments)

So many trusted authorities

Posted Feb 4, 2010 10:56 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

FWIW, Debian prompts the user in a "medium" priority debconf checkboxes for which of the CAs to enable.

The list is a long one, and provides practically no information about the specific CA besides its name. It can be re-run later using the standard dpkg-reconfigure.

So it's a single dialog rather than dozens of prompts. But somehow I'm not sure the UI is optimal (or even reasonable).

So many trusted authorities

Posted Feb 4, 2010 16:32 UTC (Thu) by ejr (subscriber, #51652) [Link]

No, Debian prompts the system administrator and not the user.

So many trusted authorities

Posted Feb 4, 2010 21:43 UTC (Thu) by bronson (subscriber, #4806) [Link]

They're the same person, and have been for going on 25 years now.

So many trusted authorities

Posted Feb 5, 2010 1:26 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Even if the prompts aren't too big a burden, knowing whether to answer yes or no is.

There's a lot of value in the Firefox developers screening these guys for me.

Bear in mind that the penalty for saying "no" to a CA that is actually trustworthy and legitimate (perhaps because you've never heard of it) is high: you don't get to use the web site you wanted to use.

I'm not sure any of it really matters in the big picture, though. The Chinese government can just use a self-signed certificate. In browsers I've seen, that results in a prompt to the user that, to 99% of them, is gobbledygook that boils down to "do you want to go to the web site you requested or not?"