undefined | Better HN

0 pointsphillipseamore8mo ago0 comments

My biggest problem is how centralized issuance is.

Half the year I live on an island that is reliant on submarine cables and has historically had weeks and months long outages and with a changing world I suspect that might become reality once again. Locally this wasn't much of an issue, the ccTLD continues to function, most services (but now about 35%) are locally hosted. Then HTTPS comes along. Zero certificates could be (re-)issued during an outage. A locally run CA isn't really an option (standalone simply isn't feasible and getting into root stores takes time and money), so you are left with teaching users to ignore certificate errors a few weeks into an extended outage.

I could see someone like LE working with TLD registrars to enable local issuance (with delegated/sub-CA certificates restricted to the TLD), that could also mitigate problems like today (decentralize issuance) and the registrars are already the primary source of truth for DV validation.

0 comments

ocdtrekkie8mo ago

Realistically there's no reason except Google retaining centralized control of the Internet for there to be a specific group of trusted CAs that meet Google's arcane specifications which can issue certificates the entire world trusts.

Your registrar should be able to validate your ownership of the domain, ergo your registrar should be your CA. Instead of a bunch of arbitrary and capricious rules to be trusted, a CA should not be "trusted" by the browser, but only able to sign certificates for domains registered to it.

tptacek8mo ago

If your concern is breaking Google's stranglehold on the web, why would Google ever implement DANE? (They probably won't, for other reasons they've already stated, but I'm trying to understand your logic).

ocdtrekkie8mo ago

They wouldn't and that is part of the problem. We are stuck with a fragile and insecure certificate strategy because the existing strategy allows Google significant control of the ecosystem.

The "I support shorter lifetimes so this all comes crashing down" comment I made earlier is arguably a bit facetious, but I do think the PKI wonks in the CAB are pretty much accountable to noone until they break things badly enough that their bosses have to pay attention to the problem.

Antitrust enforcement remains the fix here.

1 more reply

phillipseamoreOP8mo ago

s/Google/Apple, Google, Microsoft, and Mozilla/

ocdtrekkie8mo ago

Not in any realistic way, no. Because Chrome is by far the majority of the market, so what Google ships is what is available on the web. If Google unilaterally decides it is going to distrust a CA, it doesn't really matter who else does or not, the CA is dead.

Not that the other parties are that independent anyways: Microsoft's browser is a Google fork, and is wholly dependent on it. Mozilla's entire funding is Google. Apple is arguably the only somewhat independent party here, but that multibillion dollar annual search deal... let's say it incentivizes collaboration.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ocdtrekkie8mo ago

tptacek8mo ago

ocdtrekkie8mo ago

They wouldn't and that is part of the problem. We are stuck with a fragile and insecure certificate strategy because the existing strategy allows Google significant control of the ecosystem.

Antitrust enforcement remains the fix here.

1 more reply

phillipseamoreOP8mo ago

s/Google/Apple, Google, Microsoft, and Mozilla/

ocdtrekkie8mo ago

1 more reply

j / k navigate · click thread line to collapse

0 pointsphillipseamore8mo ago0 comments

My biggest problem is how centralized issuance is.