This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jan Meijer meijer at surfnet.nl
Wed Jul 16 16:46:52 CEST 2003

On Wed, 16 Jul 2003, Randy Bush wrote:

> so i am supposed to install the RIRs' certs in my browser as root
> CAs and ignore the big hole for attack this opens?  i already
> *remove* a bunch of root CAs when i bring up a new browser.  this
> is the new internet.  get paranoid.

I might overlook something but what's the big hole (apart from the obvious
fact that importing the trustanchor needs some out-of-band support)?

> let the RIRs spend a few of the bucks they have getting their certs
> signed by a well-trusted root CA.

Specify 'few'.  As far as I know this it is not cheap to have your PKI
signed by one of the 'well-trusted' root CAs.  Or are you suggesting that
RIPE should select one of the commercial root CAs and get all the client
certificates from that shop?

>From a trust point of view it is in fact *better* to consciously import
the RIPE root-ca certificate in your browser then to simply trust what's
in your root certificate store.

Jan

Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ db-wg Archives ]