Re: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi
Nice! Now, if they could package up a plugin or a new root list such that we could write in 2 lines what busy sysadms had to do, I'd say it would make a great recommendation. =20 What I'm trying to get away from is the notion that we should put a simply list in the doc and say "oh, and strip these out! You know how, vi is your friend..." Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy. Experience has to show that, and in
cates From Trust, Stores
References: <5328EE7F.9070503@azet.org> <5328F7FC.5060802@iang.org>
In-Reply-To: <5328F7FC.5060802@iang.org>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig2D2852BFD85FEBF952C9CE4C"
Cc: cpunks
Nice! Now, if they could package up a plugin or a new root list such that we could write in 2 lines what busy sysadms had to do, I'd say it would make a great recommendation.
There is an '-ignore-list' feature in https://github.com/agl/extract-nss-root-certs
Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy.
And no way to tell what CA's are or aren't trustworthy. It's simply about reducing your needless exposure.
my list of trusted CAs is empty.
Starting from empty is actually pretty easy, a lot of services start to be covered with under 50 certs. Especially for small sets of web users.
participants (2)
-
Aaron Zauner
-
grarpamp