Hacker News new | ask | show | jobs
by constGard 563 days ago
If I were interested in assembling an authoritative, up-to-date list of trusted CAs, would be reasonable to source lists from the major trust store providers and select only those CAs trusted by all of them? I know it's possible to be a lot more sophisticated and that even that can be flawed, but I'm hunting for a simple-to-follow criteria for now.
2 comments
woodruffw 563 days ago
The CCADB tracks the various root programs, so you could do this today[1]. In practice however I think you’d be best off just using the Mozilla root program; I believe they’re as (if not more) strict than the corporate root programs in terms of inclusion.

[1]: https://www.ccadb.org/

link
ryukoposting 563 days ago
Sounds like we need a certificate authority authority.
link
tptacek 563 days ago
They exist: they're the Google and Mozilla root programs.
link
BobbyTables2 563 days ago
Bickering will just result in having multiple authorities.

This can be solved with a certificate authority authority authority.

The first will be named CARTMAN and must be respected by all.

link
bigiain 563 days ago
I propose:

  public class CertificateAuthorityFactory{
link