It's fascinating that we've built a system that has expended perhaps several million dollars of engineering, legal and admin etc time over the issue of a single letter not being capitalized [1], without any demonstrable impact beyond a failure to meet ambiguous specifications.I do hope that dealing with all of the underlying issues around revocation etc makes the time and effort spent useful, and the Web PKI doesn't just mire itself in squabbling that blocks progress on actually meaningful issues.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1894560
ajb|1 year ago
Basically the missing '_' was supposed to allow DNS providers who allow programmatic DNS record creation to filter out unauthorised certificate creation. So the certificates created without it could have been unauthorized by the owner of the domain they claim to certify.
xmodem|1 year ago
> and the Web PKI doesn't just mire itself in squabbling that blocks progress on actually meaningful issues.
In your view, are there any meaningful issues going un-addressed currently?
ocdtrekkie|1 year ago
Fundamentally, there is no accountability in the web PKI stewards. You want to talk about utter waste and incredible damage to the Internet, you can see it right here, in the people determining who is allowed to issue you sets of magic numbers that browsers have agreed are trustworthy, despite everyone involved behaving like complete children.
And of course, the browser operators all have their own root CAs, so basically have extremely motivated reasons to want to eliminate every commercial provider that isn't one of the monopoly companies.
Meanwhile:
- Compromised certificates are basically a non-issue from a threat model standpoint, every certificate error people hit are just... expired certificates people didn't rotate yet.
- Expired certificates cause issues for the majority of businesses at some point or another, making the internet increasingly fragile and unreliable.
drudgemetal|1 year ago