Nice! Now, if they could package up a plugin or a new root list such that we could write in 2 lines what busy sysadms had to do, I'd say it would make a great recommendation. =20 What I'm trying to get away from is the notion that we should put a simply list in the doc and say "oh, and strip these out! You know how, vi is your friend..." Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy. Experience has to show that, and in

cates From Trust, Stores References: <5328EE7F.9070503@azet.org> <5328F7FC.5060802@iang.org> In-Reply-To: <5328F7FC.5060802@iang.org> X-Enigmail-Version: 1.2.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2D2852BFD85FEBF952C9CE4C" Cc: cpunks <cypherpunks@cpunks.org> X-BeenThere: cypherpunks@cpunks.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: The Cypherpunks Mailing List <cypherpunks.cpunks.org> List-Unsubscribe: <https://cpunks.org/mailman/options/cypherpunks>, <mailto:cypherpunks-request@cpunks.org?subject=unsubscribe> List-Archive: <http://cpunks.org/pipermail/cypherpunks/> List-Post: <mailto:cypherpunks@cpunks.org> List-Help: <mailto:cypherpunks-request@cpunks.org?subject=help> List-Subscribe: <https://cpunks.org/mailman/listinfo/cypherpunks>, <mailto:cypherpunks-request@cpunks.org?subject=subscribe> X-List-Received-Date: Wed, 19 Mar 2014 03:52:41 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2D2852BFD85FEBF952C9CE4C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Ian, ianG wrote: that case a lot of the big CAs will fail an evaluation. If you ask me, it's pretty easy, my list of trusted CAs is empty. Automated generation of lists of CAs that are simply unused is just the first step. I think certificate-transparency is a good way to do that, the rest is basically automation. For example: one can provide chef, puppet, ansible recipies for linux and mac clients, a similar solution for windows and mobile devices should also be doable. Aaron --------------enig2D2852BFD85FEBF952C9CE4C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJTKRQqAAoJEOTbZJL9ubXVB2cQAMCC6nlPTgUn86bCXi8ny+uk noYKI7XXHq0Hzl/f3Hd67oAXEX9wNh1znSBRYJ3sfSd5dgeyTfhn6NIITjdzqGc1 +1yAmyIn7Q8/+lDgSEPdsTDKFXqiTtQj9iK6t+/Ul6/l34movetvYBBI85f9yO96 4swk7obaqpRqkziVoUt0K2lopYrCxXHK7hVkXmwXgt1UlyccODHy2fWO3QWl8SWw xmrQlCJ+BGuYiV2mNFZe9w5etLwGX7wiR4xpaAHXoYZL6Kt2f//fmdb+pWnq8lE/ /NxmAQlDboPBB39uPhhsUtbrwOUS/4ZFqiA3tUSgcYZMGxYPWoUkkJpuccpWhYMf psaWrZmhz0CoL9FPiKngscv9DNAMIHfOOa0Ynku4RfBvO2Q/4F1JrW4epwCJuQiK kxKDjD2+pQ/UdIlIWSdylskaVZV+qsKWBa+4oBbGQYz9DXLgYwaPh7p6QzRcZGvA sP3p6t+aluUqCtc11cgiKfCfLs8uezTNQUYrrlu4E1G3IXkMPMmSOuheiwu+sRCJ BSlP/ys/FihB6J6EsC4i7AkLK8Ws1vfarCZDdycA++lr63Uoj0LEYv8/nTgg/GNj ZaDmuGO1sBMwEEH0nTyBDk2fJryOFjiGzzdzmEuk7fAWD6tY16mqYUptqlDmphz/ 79u6Uftx8nNa3u099JBL =7ty+ -----END PGP SIGNATURE----- --------------enig2D2852BFD85FEBF952C9CE4C--