[Ach] You Won't Be Needing These Any More:, On Removing Unused Certicates From Trust, Stores

Aaron Zauner azet at azet.org
Wed Mar 19 04:51:06 CET 2014

Hi Ian,

ianG wrote:
> Nice!  Now, if they could package up a plugin or a new root list such
> that we could write in 2 lines what busy sysadms had to do, I'd say it
> would make a great recommendation.
> What I'm trying to get away from is the notion that we should put a
> simply list in the doc and say "oh, and strip these out!  You know
> how, vi is your friend..."
Yea. That won't work at all, there's no clear authority [sic!] on who
can decide a CA is not trustworthy. Experience has to show that, and in
that case a lot of the big CAs will fail an evaluation. If you ask me,
it's pretty easy, my list of trusted CAs is empty. Automated generation
of lists of CAs that are simply unused is just the first step. I think
certificate-transparency is a good way to do that, the rest is basically
automation. For example: one can provide chef, puppet, ansible recipies
for linux and mac clients, a similar solution for windows and mobile
devices should also be doable.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/909b7c52/attachment.sig>

More information about the Ach mailing list