Parallel to a recent thread of TAFKA on trusting VPN providers, I
like to ask to which degree can we trust trust centres.
I was told that vendor software that implement RSA techniques
(for understandable commercial reasons) as a rule don't make their
codes available for user/public examinations. These pakages may have
software quality certifications issued from certain standardization
institutions. But nonetheless such software are to be considered
"blackboxes" in the present context IMHO. For to err is human. The
workers doing certification may for whatever reasons oversee
errors/defects and, what is worst in the present context, deliberate
backdoors, such that the public keys generated could be easy to crack.
In view of the fact that, due to applications such as banking etc.
etc., the "stake" in question (and hence the attractive force for
malicious guys) is extremely high, I like to question:
How much could a trust centre be trusted, if it has no idea of
how much the software it uses could be trusted?
I like to say that IMHO the trustworthiness of a CA (and hence the
security of its customers) depends on two factors:
(1) That the staff of the CA works conscientiously and correctly
(modulo unavoidable human errors).
(2) That the software employed is correct, in particular free of
deliberate backdoors (modulo unavoidable programming errors).
(1) is by itself a fairly delicate issue, which I could hardly
discuss due to lack of knowledge and experiences. (2) could
however be comparatively easily (up to a certain well-satisfying
degree) achieved through "exclusive" use of software whose source
codes are public, i.e. are available to everybody in the public
for purposes of examination. (In order to avoid eventual
'contaminations' in binary files, CAs should do the compilations