so i am supposed to install the RIRs' certs in my browser as root CAs and ignore the big hole for attack this opens? i already *remove* a bunch of root CAs when i bring up a new browser. this is the new internet. get paranoid. I might overlook something but what's the big hole
someone getting at the root CA key at an RIR
Specify 'few'. As far as I know this it is not cheap to have your PKI signed by one of the 'well-trusted' root CAs.
maybe not cheap for a student, but an RIR can afford it
Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop?
no, the RIRs can sign their customers certs. maybe a tutorial is needed on how this stuff works. paf, is there one readily available?
From a trust point of view it is in fact *better* to consciously import the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store.
when the RIRs' procedures to protect their root CA keys are audited by third parties who have the expertise to do so. randy