* Richard Barnes <rbar...@mozilla.com> [2014-08-01 04:09]: > Hi all, > > We in the Mozilla PKI team have been discussing ways to improve > revocation checking in our PKI stack, consolidating a bunch of ideas > from earlier work [1][2] and some maybe-new-ish ideas. I've just > pressed "save" on a new wiki page with our initial plan: > > https://wiki.mozilla.org/CA:RevocationPlan
Hello, while I appreciate that something is being done, this is another band-aid for a system that is falling apart. Revocation is helping when you know that a certificate was stolen/abused but does not keep CAs from issuing certificates that can enable certain entities to mount MITM attacks. It always comes down to trusting the CAs until you can prove that they have done wrong. CAs have lost a lot of trust and while we still depend on them NOW I think it would be wise to keep working on better alternatives. When looking at the "Long-Range Vision" paragraph on your page I don't see that happening. It's rather a collection of band-aids. There is bug 672239 which would implement DNSSEC DANE to verify certificates/keys via DNSSEC secured DNS-Records: https://bugzilla.mozilla.org/show_bug.cgi?id=672239 This bug is essentially abandoned at the moment which is really sad. DANE would solve all the trust problems we have right now but it seems no one is interested in working on it. That's especially frustrating when seeing how much work is now put into the OneCRL stuff. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
