Hacker News new | past | comments | ask | show | jobs | submit login

I'd settle for an end to the credentialism that ensures only the rich and powerful can enter the CA business. The actual technical chops and physical/operational requirements to become a CA are modest by the standards of the average HN reader, but the financial cost for the audit required to wind up in the browser trust stores is prohibitively high.

...That, and given the massive failures we've seen coming out of the CA world recently, I question whether those audits are actually worth anything.




Aren't the audits what allow us to find out about the failures, and revoke their ability to be a CA?


How many of the most recent failures have come to light as a result of a failed audit, and how many were due to a post-audit, outrage-generating violation of basic best practice and common sense?


The whole point of auditing is to detect problems before they become big, embarrassing, messy failures that put users at risk.

If you hang out on mozilla.dev.security.policy for a while, you'll see plenty of examples of audits exposing weaknesses or sloppiness on the part of CAs, and receiving the resulting pushback from browser vendors. Here's the most recent example I've found: https://groups.google.com/forum/?fromgroups=#!topic/mozilla....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: