top | item 14711722

(no title)

halomru | 8 years ago

Punishing CAs for bad behavior (ie Security Problems) has more collateral damage the bigger a CA is. Right now, if a CA is bad enough browsers just stop accepting their certificates. After a certain size that becomes unfeasible, removing a lot of pressure from that CA

discuss

roblabla|8 years ago

No, browsers don't do that. See how WoSign was distrusted[0]. Basically, they still trusted existing certificates, but stopped trusting new certs (both renewed or brand new). Through this, they kept collateral damage to a minimum, while carrying the CA death sentence.

[0] https://blog.mozilla.org/security/2016/10/24/distrusting-new...

nsgi|8 years ago

The trouble is that's only possible with the CA's cooperation, because they have the ability to backdate the certificates by falsifying the date. In the case of WoSign Mozilla threatened to distrust them completely if they did that, but if it's unfeasible to remove a CA that threat may be ineffectual.

majewsky|8 years ago

The pressure will come from the public. If they damage their reputation, people will be less willing to donate, which will pretty directly influence their income stream.

cm2187|8 years ago

99% of the public doesn't know what is a CA