top | item 33970018

(no title)

jesboat | 3 years ago

The privately run industry is maybe a tiny bit better, but that's not the point.

The point is that the only way browsers have to influence a CA or the industry is the threat to eventually distrust. If they can't threaten that to government-stamped CAs, then those CAs no longer even have an incentive to operate responsibly, and, as we know from the many, many incidents, they almost certainly won't.

discuss

yakak|3 years ago

They could simply identify these like they did for EV certs. Whether you trust one of them more or less is then your choice, (certainly I wouldn't continue on a random e-shop with a country specific cert but I also don't like landing on a supposed government site that has a comodo cert and may want to sell me a green card) mediated by journalism and their ability to keep a better reputation than the lowest CA that still gets a lock.

If I had to guess, half of the least trustworthy CAs in the one-store-fits-all keystore are also government affiliated ones and we don't even get anything to differentiate them from any regular commercial cert.