This should be more widely understood: an application considers a CA trusted because some human told it so. There is no other way.
The "recognized" CAs are trusted by e.g. your browser because the
maker of the browser decided to trust them and so put them into the
list of trusted CAs that is packed in the browser. Others have
written about the kinds of things those CAs needed to do in order to
gain that trust. If you decide that you don't trust one of them, you
can take it out and it becomes untrusted *for you*.
If you decide to trust a CA that hasn't made the browser makers'
goodie lists, you can just install it in your browser's list of
trusted CAs and it becomes trusted *for you*. Anyone else can do that
too, with a similar result for himself.
If any given cert. is calculated to be trusted, that means that, at
the top of the chain, it can be linked back to a cert. that someone
marked manually as trusted. Trust is not calculable without that.
Really, the only thing protecting most people from rogue CAs is the
browser makers' understanding that they, too, are in a position of
trust, and could be hurt badly by lax acceptance practices no matter
how many disclaimers they slather onto the EULA. We should all check
and tune our browsers' trust lists. (No, I haven't.)
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more than 2 percent of world population has broadband.
-- Ledford and Tyler, _Google Analytics 2.0_
pgp6nnl3aO4Ab.pgp
Description: PGP signature
