This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Meijer
meijer at surfnet.nl
Wed Jul 16 16:46:52 CEST 2003
On Wed, 16 Jul 2003, Randy Bush wrote: > so i am supposed to install the RIRs' certs in my browser as root > CAs and ignore the big hole for attack this opens? i already > *remove* a bunch of root CAs when i bring up a new browser. this > is the new internet. get paranoid. I might overlook something but what's the big hole (apart from the obvious fact that importing the trustanchor needs some out-of-band support)? > let the RIRs spend a few of the bucks they have getting their certs > signed by a well-trusted root CA. Specify 'few'. As far as I know this it is not cheap to have your PKI signed by one of the 'well-trusted' root CAs. Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop? >From a trust point of view it is in fact *better* to consciously import the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store. Jan
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]