Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're missing the point. If the UI says "yes, that's 23david" if I can get any CA to certify that, the security of the system is no better than that of the weakest CA. Sure, your CA may be perfect, but why would the attacker go for the strongest point?



So perhaps that's an issue with the UI not clearly showing which CA is verifying the identity, and alerting you clearly if an encrypted email is using a different CA than prior ones.

Depending on the client you're using, it shouldnt be too hard to prune the trusted CA list to only include providers you choose to trust. If you want, only include your CA and remove all others.


So instead of PGP - which is already quite daunting, mind - the user now get to assess the security of 200+ CAs, most of which they've never heard of?


You're right, this wouldn't make a lot of sense for most users.

But this would be useful in a corporation where it's possible to centrally manage CA lists for approved applications.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: