Hacker News new | past | comments | ask | show | jobs | submit login

Aren't the audits what allow us to find out about the failures, and revoke their ability to be a CA?



How many of the most recent failures have come to light as a result of a failed audit, and how many were due to a post-audit, outrage-generating violation of basic best practice and common sense?


The whole point of auditing is to detect problems before they become big, embarrassing, messy failures that put users at risk.

If you hang out on mozilla.dev.security.policy for a while, you'll see plenty of examples of audits exposing weaknesses or sloppiness on the part of CAs, and receiving the resulting pushback from browser vendors. Here's the most recent example I've found: https://groups.google.com/forum/?fromgroups=#!topic/mozilla....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: