The code exists for NSS. There are multiple CA mitigation technologies under consideration right now. CT seems to be the priority. Watch Chris Palmer's TrustyCon presentation for more details.
There are multiple CA mitigation technologies under consideration right now.
Do these "mitigation technologies" require us to continue paying CAs protection money? From what I read about TACK, it seems like it doesn't require that, but what's actually being done?
"Protection money" meaning paying for them to run a CA infrastructure, handle audits, and verify identity as per requirements? (Admittedly, "domain control" verification is sorta useless and completely automated.) Are HSMs and all these people supposed to just be paid on goodwill?
Not that some CAs aren't overpriced, but calling it "protection money" is just silly. You're free to go use your own CA. Once you've got it all setup and meet criteria, I'm sure Mozilla and others will let you in.
It's just protection money. No regular user actually cares about EV certs. The lowest thing that passes validation (domain validated certs) is fine and that's trivially automated.
The exorbitant fees are a joke that don't result in any improved security for the end user.
I'm not so sure about that, the way the browser vendors and companies beat it into their user's heads to look for the green bar with the company name on it.
Granted, it's still a scam. "Pay us money or all your customer's browsers will get scary and misleading error messages!"
and 99.99999999% of the time, a self signed cert represents... not much of anything, other than the fact that a site owner declined the to pay the PKI racket's protection money.
And even if we ignore that, the whole "EV Cert" thing is a total sham. All the EV cert does is indicate that you overpaid for it.
An untrusted cert looks identical to an attack. So the CA, while perhaps a circus, is necessary with current technology. Without that, there's no way to determine if you've been MITM'd or not - that's like the whole point of using TLS.
I know there are other proposals, but within the current constraints of the "global PKI", there's no alternative.
On a side note, for an EV cert, the CA must verify the registrant of the domain. They usually do a phone call to verify a phone number matching some other record with the name of the registrant. That takes some human effort to verify; more than an automated email. (In addition to just running a company, keeping a CA online but secure, etc.)
So the CA, while perhaps a circus, is necessary with current technology.
With current technology, it is not necessary.
Because of the blockchain (current tech) they serve absolutely no useful purpose.
You cannot claim that because web browsers voluntarily choose not to use it that it somehow disqualifies it as current tech.
Same goes for the EV cert and phone calls and all that jazz. Simply not necessary, and adds no extra value. In fact, it makes all of us less secure as the article points out.
If, to take one of my favorite companies as an example, Mozilla were to support the blockchain for authentication, they would register themselves there, and that's that. No phone calls necessary, they simply own their identity, and can, via established existing channels (@mozilla twitter account, their newsletter, their .com, etc.) declare what is and isn't official.
They can even get their .com into the blockchain, although that isn't yet current tech:
