On Sat, Jul 19, 2014 at 5:03 PM, John Denker <[email protected]> wrote: > AFAICT, a lot of existing protocols were designed to resist > passive eavesdropping. In contrast, the idea of large-scale > MITM attacks was sometimes considered tin-foil-hat paranoia. > To this day, standard Ubuntu Firefox trusts 162 different > authorities (including the Hong Kong Post Office) to certify > /anything and everything/. > > In the /usr/share/ca-certificates/mozilla directory, only one > of 163 root certificates has any v3 Name Constraints at all. > Why Ubuntu and Firefox tolerate this is beyond me; I can > understand trusting Microsoft to sign Microsoft-related stuff, > but allowing them to sign /anything and everything/ ?!????!!
The mozilla bundle includes about 150. It would be nice if the new cert observatoris publish a count of how many end certs they see each root cert covers... a topN list of sorts. Then you could save some time by including the N of your choice into your 'empty by default' list. I think the distribution would be severly skewed to maybe top 10 or 15 covers most any place.
