> The webpki is changing dramatically. The amount of CAB/forum violations > seems to be increasing, partially as a result of these violations getting > exposed > by certificate transparancy and perhaps partially because of the financial > strain > caused by the free LetsEncrypt.
Uniformed speculations that are just flat out wrong do not help anyone. LetsEncrypt, if anything, has been a big help to the CA industry. Both free and paid offerings are seeing significant growth. Let's not spread FUD about "financial strain" that does not actually exist. And furthermore, it's best not suggest hypothetical unproved ("seems to be") observations are caused by the previously mentioned cause that doesn't actually exist. That's irresponsible. Tools like cablint have actually contributed far more to improvements in the technical compliance of certificates from vendors who previously didn't adhere that closely to strict compliance with RFCs, CABF requirements, required certificate profiles, and so on. CT is less responsible, as it is only required for EV (though many large CAs have voluntarily started logging all certificates). Many bad certificates were still found the old fashioned way: by crawling for them. There's an old story about an intelligence analyst who found a handful of suspicious structures in a remote desert. More resources were assigned to figure out what they were. A few months later, the number of structures was observed to be increasing rapidly. More resources were assigned. Pretty soon, new ones were found every day. People started panicking, and someone was dispatched to investigate on the ground. It turned out to be a kind of water condenser common in the region, and the increase in numbers was only because people had started looking for them. They had always been there, just no one paid attention to them. The truth is that the increase in activity around problems with various certificates is because people are just paying far more attention to even the smallest, most obscure details of every issued web PKI certificate these days: far, far more than they did even just two or three years ago. And that's a good thing, not a bad thing. Progress is being made. The certificates being issued by almost every CA out there are much technically cleaner than they were when I first started doing CA things, maybe five years ago. The Symantec swamp cleanup effort is also responsible for a significant fraction (the majority?) of recent reports. -Tim
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls