HOW to set “security.OCSP.require” in Google Chrome/Chromium?
Bruno Wolff III
bruno at wolff.to
Thu Mar 24 19:46:02 UTC 2011
On Thu, Mar 24, 2011 at 15:12:56 -0430,
Patrick O'Callaghan <pocallaghan at gmail.com> wrote:
>
> Even if that's true, it doesn't belie what I just said. If you don't
> trust the CA, don't use their services at all.
There is a difference between trusting them to certify a site and to not
resell data about you. Some people may trust them for one of these but
not the other. But for the record I do remove the certificates in firefox
as the certification of some CA who talked a browser manufacturer into
including their certs doesn't provide significant weight with me.
> There does not exist, and never can exist, a means of securing
> communication between two parties that don't trust each other unless
> they both decide to place some level of trust in a third party. CAs are
> just one way to do that (and clearly they need to get their act
> together). Web-of-trust mechanisms are another but I don't know of any
> mainstream browsers that support them.
Web of trust is better than hierarchical for general use. But also it would
be have been nice if browsers were design to help you make sure you are
communicating with the same entity as the last time. (Sort of like how ssh
does things.) For cert changes, one could sign new certs with the old ones.
The current warning system is more like a protection racket that a security
system.
More information about the users
mailing list