On Mon, Jul 06, 2020 at 03:48:06AM +0000, Peter Gutmann wrote: > Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > >If you're unhappy with the way which your interests are being represented by > >your CA, I would encourage you to speak with them. > > It's not the CAs, it's the browsers, and many other types of clients.
How, exactly, is it not CAs fault that they claim to represent their customers in the CA/B Forum, and then fail to do so effectively? > Ever tried connecting to a local (RFC1918 LAN) IoT device that has a > self-signed cert? If we expand "IoT device" to include, say, IPMI web-based management interfaces, then yes, I do so on an all-too-regular basis. But mass-market web browsers are not built specifically for that use-case, so the fact that they don't do a stellar job is hardly a damning indictment on them. That IoT/IPMI devices piggyback on mass-market web browsers (and the Web PKI they use) is, as has been identified previously, an example of externalising costs, which doesn't always work out as well as the implementers might have liked. That it doesn't end well is hardly the fault of the Web PKI, the BRs, or the browsers. Your question is roughly equivalent to "ever tried fitting a screw with a hammer?", or perhaps "ever tried making a request to https://google.com using telnet and a pen and paper?". That your arithmetic skills might not be up to doing a TLS negotiation by hand is not the fault of TLS, it's that you're using the wrong tool for the job. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy