[liberationtech] [guardian-dev] An email service that requires GPG/PGP?

[Tom Ritter]

On 9 August 2013 18:16, Seth David Schoen <schoen at eff.org> wrote:
> If you think governments are likely to use their own CAs for spying by
> issuing fraudulent certificates, you want to remove trust for those
> CAs _in your web browser_.  Having a valid, correct, and publicly issued
> certificate from such a CA does not make the CA operator any more able
> to spy on you.
>
> There was a lot of concern when CNNIC became a root CA in mainstream
> browsers because of the perception that the Chinese government could
> force CNNIC to misissue certificates to facilitate surveillance.  But
> this risk would be a reason for users not to trust the CNNIC root in
> their browsers, not directly a reason for sites to avoid getting certs
> from CNNIC.

While I agree your technical assessment is correct, I do want to note
(and you'll probably agree with me) that if you think a CA may
misissue/rollover for a government, the (indirect) reasons not to buy
from that CA are to a) not give them additional money and b) reduce
the number of certs on the internet using that CA, making it
ever-so-slightly more possible for browsers will eventually be able to
remove it from their trust stores.

Aside from StartCom (free) most CAs have roughly the same price and
service.  Since service is equivalent, you're free to choose a CA
based on your political opinion, and not worry about missing out on
'features'. It's basically like voting in an election - elections are
won by tens or hundreds of thousands of votes, so it seems like one
vote doesn't matter.  But it can add up.

-tom