> * Browser people detected this misissuance This one, but not at least several others issued by this CA.
> * Browser people acted fast to untrust the offending ICA Yes, but not the root which issued it in violation of many of the policies for the trust store, despite strong language implying that this would likely for violating a specific one of those rules. > * Browser people conceived of and are implementing CT > * Browser people convinced CAs to implement CT by using their limited > political capital carefully > * Browser people opened up the CA/Browser Forum somewhat I'm well aware of that. I think the Chromium developers have done a fantastic job on the technical end of things and that's the only place where *I* see anything moving forwards. AFAIK, Mozilla dragged their feet a lot on CT and isn't actively pushing for it with - correct me if I'm wrong, but that's the strong impression I get from lurking on relevant IRC channels. > * Browser people conceived of and implemented key pinning That's nice for Google and the other (dozen?) sites, but AFAIK you're not willing to pin just any keys. It's not scalable and creates an anti-competitive situation where the big companies have an inherent security advantage. Letting CryptoCat and Tor pin their keys was a nice move, but what about everyone else? > * CAs don't want to go out of business That's why browser vendors have more far more power than you're willing to admit. You can kill their business by changing one a line of code... > * Browser people can't break the internet Taking away a green lock while not even downgrading to http doesn't break the internet. It's not a black and white removal situation. If a browser can take away the EV bar for lack of CT, it can certainly take away the lock completely for egregarious lack of compliance with these policies. > * A key way to improve things is to build, not burn, bridges > * The internet is loosely coupled, and the incentives and capabilities > of people using it vary widely > * Secure introduction in a globally distributed system is an unsolved > problem Sure, that's why a CA was added despite being known to distribute malware and perform MITM attacks to crack down on political dissidents. Determining whether to add a CA is very much a political decision and it's essentially a matter of choosing sides since all users end up with the same CAs. > * Even if by some chance you had the solution, you're going to have a > hard time getting heard now The people who voiced strong, justified concerns against including this CA weren't heard before. I doubt I'm saying anything that hasn't already been said before on discussions you've read. If I wanted to do that I'd just file a Chromium bug rather than ranting on a mailing list where I've never seen any significant community input taken into account before. Trusting a CA known to distribute malware even after they've clearly broken policies is more offensive than any words I can dream of stringing together.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
