[Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores
grarpamp
grarpamp at gmail.com
Tue Mar 18 21:30:54 PDT 2014
>> Nice! Now, if they could package up a plugin or a new root list such
>> that we could write in 2 lines what busy sysadms had to do, I'd say it
>> would make a great recommendation.
There is an '-ignore-list' feature in
https://github.com/agl/extract-nss-root-certs
> Yea. That won't work at all, there's no clear authority [sic!] on who
> can decide a CA is not trustworthy.
And no way to tell what CA's are or aren't trustworthy.
It's simply about reducing your needless exposure.
> my list of trusted CAs is empty.
Starting from empty is actually pretty easy, a lot of services
start to be covered with under 50 certs. Especially for small
sets of web users.
More information about the cypherpunks
mailing list