Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not necessarily true. There are certainly CAs that are able to keep their private keys out of the hands of most governments. But there is definite uncertainty about who to trust. For the truly cautious, wouldn't it make sense to explore setting up your own CA? Something like OpenCA or TinyCA should do the trick.



You're missing the point. If the UI says "yes, that's 23david" if I can get any CA to certify that, the security of the system is no better than that of the weakest CA. Sure, your CA may be perfect, but why would the attacker go for the strongest point?


So perhaps that's an issue with the UI not clearly showing which CA is verifying the identity, and alerting you clearly if an encrypted email is using a different CA than prior ones.

Depending on the client you're using, it shouldnt be too hard to prune the trusted CA list to only include providers you choose to trust. If you want, only include your CA and remove all others.


So instead of PGP - which is already quite daunting, mind - the user now get to assess the security of 200+ CAs, most of which they've never heard of?


You're right, this wouldn't make a lot of sense for most users.

But this would be useful in a corporation where it's possible to centrally manage CA lists for approved applications.


Congrats, you've just reinvented PGP's web-of-trust.


Probably makes sense to start deciding which CAs we should or shouldn't trust? Has anyone reliable done any work on rating or evaluating the trustworthiness/security of different CAs?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: