> Would a CA be allowed to pre-notify customers whose certs were randomly selected and {pre/re}-issue them replacements?
If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.
> The point is that right now revocation is so painful that it’s causing CAs to side with subscriber convenience over the integrity of the web PKI. Sampled, controlled revocations let us identify points of pain before they have security implications, and motivate Subscribers to prepare their systems—whether through automation or not, up to them, I’m not their dad—to tolerate on-time revocation. We care about the likely outcomes of automation, such as tolerance of short revocation or expiry timelines, really, but if BigSlowCo wants to staff a 24-hour cert maintenance squad such that they don’t (successfully) pressure their CA into blowing revocation deadlines, that’s their opex choice. Directly evaluating ecosystem capability around prompt revocation is the only way I can think of to identify areas of danger or weakness before they become issues for the web.
That is a pretty breathtaking example of ivory tower thinking if there ever was one. I really just don't know what else I can say about that kind of proposal.
To put things into perspective, the people behind the browser with < 2.5% market share are acting like they have the biggest swinging dick in the room, and proposing policies with authority, that could potentially screw over 100% of the internet. Think about that for a minute.
The reality is the CAs could tell Mozilla to go pound sand and they would have no recourse. Is there not a governing body for certificate policies with voting members?
CA trust should be handled at the OS vendor level. Mozilla having its own trust anchors is a relic of the past. If CAs refuse to comply, they at worst inconvenience 2.5% of their customers temporarily until they find a better browser.
It's not even the most insane suggestion in the thread. That would be the proposal to require ACME for all certificates. So all your appliances with manual cert installation and devices without direct connection to the internet would break.
I think Roman Fischer in the thread has it right, 30 certs is a single drop of water the Atlantic. Like there's no wink wink necessary, at that scale it would be flatly irrational to do anything at all to handle being one of these revocations. We're taking about a roughly 0.00001% chance that it's you. Forget some dumb cert revocation logic I would play Russian Roulette with those odds.
But on the flip side those 30 unlucky souls are gonna be pissed. There's so many other less disruptive ways you could do this.
1 in 100k chance of taking down Amazon for say a day means the expected cost to them would be 140k per year based on their daily revenue. So in fact it's worth them hiring someone full time permanently to handle these revocations...
The goal is to ensure not just that the CA is capable of performing the revocation, but that the CA's customers are capable of accepting it and won't demand the timeline be extended. (As they routinely do today.)
I think the garbage CAs that want to delay certificate revocation way beyond requirements are numerous enough that this proposal won't go ahead. Much easier for them to just do nothing and hope they won't be the next Entrust.
ForHackernews|1 year ago
If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.
> The point is that right now revocation is so painful that it’s causing CAs to side with subscriber convenience over the integrity of the web PKI. Sampled, controlled revocations let us identify points of pain before they have security implications, and motivate Subscribers to prepare their systems—whether through automation or not, up to them, I’m not their dad—to tolerate on-time revocation. We care about the likely outcomes of automation, such as tolerance of short revocation or expiry timelines, really, but if BigSlowCo wants to staff a 24-hour cert maintenance squad such that they don’t (successfully) pressure their CA into blowing revocation deadlines, that’s their opex choice. Directly evaluating ecosystem capability around prompt revocation is the only way I can think of to identify areas of danger or weakness before they become issues for the web.
This is like testing the fire extinguishers.
alyandon|1 year ago
likeabatterycar|1 year ago
The reality is the CAs could tell Mozilla to go pound sand and they would have no recourse. Is there not a governing body for certificate policies with voting members?
CA trust should be handled at the OS vendor level. Mozilla having its own trust anchors is a relic of the past. If CAs refuse to comply, they at worst inconvenience 2.5% of their customers temporarily until they find a better browser.
nimish|1 year ago
likeabatterycar|1 year ago
Habgdnv|1 year ago
agwa|1 year ago
Spivak|1 year ago
But on the flip side those 30 unlucky souls are gonna be pissed. There's so many other less disruptive ways you could do this.
fancyfredbot|1 year ago
tiffanyh|1 year ago
As opposed to 30-random entities.
https://en.m.wikipedia.org/wiki/Special-use_domain_name
SpicyLemonZest|1 year ago
DuckConference|1 year ago
workfromspace|1 year ago
seventytwo|1 year ago
1317|1 year ago
unknown|1 year ago
[deleted]
otabdeveloper4|1 year ago