Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPEDatabase

[Jan Meijer <]

On Wed, 16 Jul 2003, Randy Bush wrote:

> so i am supposed to install the RIRs' certs in my browser as root
> CAs and ignore the big hole for attack this opens?  i already
> *remove* a bunch of root CAs when i bring up a new browser.  this
> is the new internet.  get paranoid.

I might overlook something but what's the big hole (apart from the obvious
fact that importing the trustanchor needs some out-of-band support)?

> let the RIRs spend a few of the bucks they have getting their certs
> signed by a well-trusted root CA.

Specify 'few'.  As far as I know this it is not cheap to have your PKI
signed by one of the 'well-trusted' root CAs.  Or are you suggesting that
RIPE should select one of the commercial root CAs and get all the client
certificates from that shop?

From a trust point of view it is in fact *better* to consciously import
the RIPE root-ca certificate in your browser then to simply trust what's
in your root certificate store.

Jan