Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't understand this, Justin. What part of any one CA makes them too big to fail? Isn't this tantamount to saying there's really not much a CA could do get distrusted?

I'm actually not advocating for the overthrow of the whole CA system.



Symantec alone owns 42+% of all the HTTPS certificates. Can you imagine a browser willing to break 42% of all the secure sites for their users? Even if you know a CA isn't very trustworthy, the situation needs to get really out of hand to outweigh the problem of having thousands of sites stop working.

That's why the Convergence/Perspectives proposals are so interesting: they let you remove trust on a provider ("Notary") without breaking the process.


The system doesn't have to be fair for it to be better. So Symantec and Verisign can use their clout to get around the rules. Fine. Let the system be unfair to the smaller CAs, and better for end-users.


Symantec and Verisign

Nitpick: Verisign isn't in the CA business anymore, Symantec bought it.

Let the system be unfair to the smaller CAs, and better for end-users.

But how is the system better for end-users? If a big CA fucks up, they're either at the risk of being MITMed or of having half their secure sites stop working. If no CA had more than, say, 10% of the market, a fuck up would only affect a small number of the sites they use.


Ah, shit, you're right about SYMC (I was actually scratching my head about how they were so dominant), thanks for pointing that out.

My logic is simple: fewer CAs selling the whole Internet trust scheme to the highest bidder = safer Internet.

If SYMC's CA is going to be above the law, so be it. We don't have to solve every problem simultaneously.


It's not that a major CA's root couldn't be revoked, but the situation would have to be extremely dire to warrant the negative impact. Plus, there's so little visibility into what the CAs are issuing that it's really hard to justify revocation--unless it's something public and obviously dangerous like the Diginotar situation. That's what I meant by "the system is just too big to fail."

(And to be clear, this is my opinion here, not me speaking for Google or Chrome.)

Edit: I just reread my original comment and I can see the confusion. I should have made it clear that I was talking about the response to this particular situation (issuing an intermediary for DLP). Basically, the CAs have no good reason to come clean, the abuse is hard to detect, and revocation is pretty hard to justify. So, it feels to me like the threat is hollow.


I think we agree more than we disagree, but I'm not fatalistic about browser CA roots; I think there are basic tactical things they can do today without breaking thousands of sites.

I agree with the world view you have, though: of the 3 most important organizations that control CA policy (I'm guessing that's Mozilla, Apple, and Microsoft), you have 2 companies for whom CA policy is small-ball that they're just not going to fight hard over, and the third is easily pushed around.

So, calling it like I see it: Mozilla isn't standing up for anything here, so much as they're getting rolled by abusive companies.


I didn't think we were disagreeing on anything substantive, unless I'm misreading. Mozilla's letter strikes me as somewhat hollow posturing, and Apple and Microsoft don't really seem interested in doing anything.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: