[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Meijer
meijer at surfnet.nl
Wed Jul 16 16:46:52 CEST 2003
On Wed, 16 Jul 2003, Randy Bush wrote: > so i am supposed to install the RIRs' certs in my browser as root > CAs and ignore the big hole for attack this opens? i already > *remove* a bunch of root CAs when i bring up a new browser. this > is the new internet. get paranoid. I might overlook something but what's the big hole (apart from the obvious fact that importing the trustanchor needs some out-of-band support)? > let the RIRs spend a few of the bucks they have getting their certs > signed by a well-trusted root CA. Specify 'few'. As far as I know this it is not cheap to have your PKI signed by one of the 'well-trusted' root CAs. Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop? >From a trust point of view it is in fact *better* to consciously import the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store. Jan
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]