19 Mar
2014
19 Mar
'14
4:30 a.m.
Nice! Now, if they could package up a plugin or a new root list such that we could write in 2 lines what busy sysadms had to do, I'd say it would make a great recommendation.
There is an '-ignore-list' feature in https://github.com/agl/extract-nss-root-certs
Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy.
And no way to tell what CA's are or aren't trustworthy. It's simply about reducing your needless exposure.
my list of trusted CAs is empty.
Starting from empty is actually pretty easy, a lot of services start to be covered with under 50 certs. Especially for small sets of web users.