On Fri, May 13, 2011 at 6:07 PM, <girish_at_shankar-software.org> wrote:

> The whole point is to allow the user to decide which CA to trust and which
>> to not trust. Trust is a funny thing but you can't shove trust onto somebody
>> and force them to trust someone. That's not trust, that's something else.
>>
>
> This is ok when the user is just a single person, we should of course
> trust him to do the right thing. But when the user is a large organization
> it is the authorities in that organization who determines who everyone
> in the organization should trust. Under that scenario, the individual
> user should not be allowed to tamper with the list of root CAs. This
> is the situation we are facing.

OK, I have to ask this - could you build your specific list of allowed CA
certs into the app and simply not go get the list from a
possibly-tampered-with external file??

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-05-14