undefined | Better HN

0 pointstsimionescu1y ago0 comments

I think they're complaining that as an administrator, you only get a binary decision: trust all certificates signed by this CA, or trust none of the certificates signed by this CA. The Chrome devs can implement more fine-grained decisions, such as trust all certificates signed by this CA with SCT<October 2024, but they don't expose this type of control to admins.

0 comments

amluto1y ago

Exactly. I’d also like to be able to trust a certificate for a limited set of domains. This would be extremely valuable for all kinds of use cases.

tardy_one1y ago

IMO the problem is worse if considered from the perspective of the user. There is no visual distinction that the chain of trust goes back to a local admin managed store and that the admin can arbitrarily trust certificates outside their proprietary domain.

It should be perfectly reasonable and probably required for an employee to be able to order reimbursed things like travel arraingements with a credit card on their org provided device, but that org may MITM any trust chain for some administrative convenience.

The org itself could cross sign with name constraints if they opt to be good, but would probably end up filing a lot of bugs in various software that can't handle it and their being good is the kind of selfless act that rarely happens without a regulatory requirement to pay for consequences of doing a MITM of your employees on the Internet.

ethbr11y ago

To me, this seems like a solid tradeoff of authority.

In practice, complexity and customizability breeds ossification, because "safe" becomes the tiny sunset of common configuration.

I could definitely see network appliance vendors, IT network security admins, endpoint security vendors, etc. rapidly fucking up everything.

At least with delegation to browser vendors + certificate transparency logs, we have a semi standard path for a detrust like this to be forced without exploding the ecosystem.

Additionally, if there were more wiggle room, you'd alter the balance of power between browsers and CAs, which seems decently calibrated now.

richardwhiuk1y ago

The local admin means "the user's employer's IT department", which, for the sake of a work laptop, they implicitly trust way more than Mozilla/Microsoft/Google/Apple etc who managed the public root stores.

1 more reply

amluto1y ago

I can imagine an organization wanting to run a CA for all kinds of reasons, and wanting to ignore some CA/B forum rules for all kinds of reasons. And, if that organization owns name.com and wants its employees to use ordinary web browsers (on corporate devices) to access resources protected by those certificates, then it seems entirely reasonable to have a *.name.com name constraint. The only problem is that browsers don’t support this.

1 more reply

j / k navigate · click thread line to collapse

0 comments

amluto1y ago

Exactly. I’d also like to be able to trust a certificate for a limited set of domains. This would be extremely valuable for all kinds of use cases.

tardy_one1y ago

ethbr11y ago

To me, this seems like a solid tradeoff of authority.

In practice, complexity and customizability breeds ossification, because "safe" becomes the tiny sunset of common configuration.

I could definitely see network appliance vendors, IT network security admins, endpoint security vendors, etc. rapidly fucking up everything.

At least with delegation to browser vendors + certificate transparency logs, we have a semi standard path for a detrust like this to be forced without exploding the ecosystem.

Additionally, if there were more wiggle room, you'd alter the balance of power between browsers and CAs, which seems decently calibrated now.

richardwhiuk1y ago

1 more reply

amluto1y ago

1 more reply

j / k navigate · click thread line to collapse