top | item 42323888

(no title)

If I were interested in assembling an authoritative, up-to-date list of trusted CAs, would be reasonable to source lists from the major trust store providers and select only those CAs trusted by all of them? I know it's possible to be a lot more sophisticated and that even that can be flawed, but I'm hunting for a simple-to-follow criteria for now.

discuss

woodruffw|1 year ago

The CCADB tracks the various root programs, so you could do this today[1]. In practice however I think you’d be best off just using the Mozilla root program; I believe they’re as (if not more) strict than the corporate root programs in terms of inclusion.

[1]: https://www.ccadb.org/

ryukoposting|1 year ago

Sounds like we need a certificate authority authority.

tptacek|1 year ago

They exist: they're the Google and Mozilla root programs.

BobbyTables2|1 year ago

Bickering will just result in having multiple authorities.

This can be solved with a certificate authority authority authority.

The first will be named CARTMAN and must be respected by all.