Robert Sayre wrote: > Nelson Bolyard wrote: >> >> In effect, all the root CA certs are subordinate to the user himself. > > I can't accept this assertion, but I admit I am unable to articulate the > reason. Maybe it's that users have never, ever cared about "root CA certs"?
But it has always been true. In all Netscape and Mozilla products, the user has always had complete control over the trusted certs. He was always able to add more trusted certs, and to remove trust from certs he chose not to trust. A surprising number of users actually use these features. There are SO MANY people, groups, schools, ISPs, etc. who insist on being their own CAs, with their own CA certs, and MANY MORE besides them who issue self-signed server certs (no CA involved, just a trusted EE cert). ALL those users must use the UI to add the new trusted certs, and when the time comes to replace them, they use the UI to delete the old certs and install the new ones. (Deleting the old certs would be completely unnecessary, except that most home-grown CAs use the same serial numbers for their certs, over and over and over. For their root CAs, they always use serial number zero, naturally, no matter how many times they reissue that cert.) Now, there's simply no way that we can deny that those users are in control of the CAs they trust. The collected trust information stored by NSS for them is their trust anchor (in my view). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
