On Wed, 16 Jul 2003, Randy Bush wrote:
so i am supposed to install the RIRs' certs in my browser as root CAs and ignore the big hole for attack this opens? i already *remove* a bunch of root CAs when i bring up a new browser. this is the new internet. get paranoid.
I might overlook something but what's the big hole (apart from the obvious fact that importing the trustanchor needs some out-of-band support)?
let the RIRs spend a few of the bucks they have getting their certs signed by a well-trusted root CA.
From a trust point of view it is in fact *better* to consciously import
Specify 'few'. As far as I know this it is not cheap to have your PKI signed by one of the 'well-trusted' root CAs. Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop? the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store. Jan