"Richard Laager" <rlaager(_at_)wiktel(_dot_)com> writes:
No, X.509 propagates trust. The root certificates in your browser's
certificate store are there because you trust them.
Nope, they're there because I don't have a choice. I *trust* that if I report
an unauthorised credit card charge to my CC vendor within 30-60 days, it won't
come out of my pocket. I am forced to *depend* on hardcoded CA certs in my
browser because without that I can't exercise my trust in Reg.E/Reg.Z. The
only thing I trust about a commercial CA-issued cert is that it proves that at
some point money changed hands, to the CA's benefit (admittedly this provides
at least a small amount of trust by proving that either the web site takes
itself seriously enough that it's willing to burn money to make this point or
that the script kiddie who r00ted it was skillful enough to get away with it
unnoticed).
If you don't trust VeriSign to issue signatures, remove them from the root
certificate store.
I could disable the 100+ certs in my browser (a mere 700 mouse clicks, only a
day or so's work) but then I'd constantly have warning dialogs popping up and
annoying me while I'm exercising my trust in Reg.E/Reg.Z. In addition
disabling only the Verisign roots won't prevent Verisign certs from being
accepted, because of the implicit universal cross-certification in browsers
any other CA could issue Verisign certs and they'd be treated no diferently
from the real thing.
Peter.