commit: 045eeb36700c783095f9cf6bcad380d6da470081
parent 40f15e8a7babf6aa6a7229d27a809c8af88fb4b7
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sun, 11 Aug 2024 09:57:46 +0200
RejectedCAs.md: Reject GlobalSign
Diffstat:
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ Purposefully minimalist root certificates store of X.509 Certificate Authorities
- Certificate Transparency and CAA support
- Standardized validation like ACME. Absolutely no proprietary verifications.
-Each authority is then listed in `CertificatesAutorities.json`
+Each accepted authority is then listed in `CertificatesAutorities.json`, each rejected authority is listed in <./RejectedCAs.md>.
--
Copyright © 2024 Haelwenn (lanodan) Monnier <contact+ca-certificates@hacktivis.me>
diff --git a/RejectedCAs.md b/RejectedCAs.md
@@ -0,0 +1,5 @@
+# Rejected Certificate Authorities
+## GlobalSign
+- Appears to still support non-standard verifications
+- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificate
+- Cross-signs other CAs, which while interesting for allowing new CA, ultimately means having to trust all the cross-signed CAs
