top | item 46956495

(no title)

mmsc | 19 days ago

No. HTTPS certificates are being abused for non-https purposes. CAs want to sell certificates for everything under the sun, and want to force those in the ecosystem to support their business, even though https certificates are not designed to be used for other things (mail servers for example).

If CAs don't want hostility from browser companies for using https certificate for non-http/browser applications, they should build their own thing.

discuss

MattJ100|19 days ago

They weren't "HTTPS certificates" originally, just certificates. They may be "HTTPS certificates" today if you listen to some people. However there was never a line drawn where one day they weren't "HTTPS certificates" and the next day they were. The ecosystem was just gradually pushed in that direction because of the dominance of the browser vendors and the popularity of the web.

I put "HTTPS certificates" in quotes in this comment because it is not a technical term defined anywhere, just a concept that "these certificates should only be used for HTTPS". The core specifications talk about "TLS servers" and "TLS clients".

growse|19 days ago

The CAB is only concerned with the WebPKI. This means HTTPS.

There's loads of non web, non HTTPS TLS use cases, it's just the CAB doesn't care about those (why should it?).

pjc50|19 days ago

> CAs want to sell certificates for everything under the sun

A serious problem with traditional CAs, which was partly solved by Let's Encrypt just giving them away. Everyone gradually realized that the "tying to real identity" function was both very expensive and of little value, compared to what people actually want which is "encryption, with reasonable certainty that it's not MITMd suddenly".

sam_lowry_|19 days ago

No. These are just certificates that happen to be used predominantly in HTTPS context and Google tries to tie them exclusively to the HTTPS context.

franga2000|19 days ago

Where did you get that idea? These certs have always been intended for any TLS connection of any application. They are also in no way specific or "designed for" HTTPS. Neither the industry body formed from the CAs and software vendors, nor the big CAs themselves are against non-HTTPS use.

From https://cabforum.org/

> Welcome to the CA/Browser Forum > > The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).

From https://letsencrypt.org/docs/faq/

> Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites? > > Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

dijit|19 days ago

You’re like, so wrong.

Are we really at an age where people don’t remember that SSL was intended for many protocols, including MAIL?!

Do you think email works on web technology because you use a web-client to access your mailbox?

Jesus christ, formal education needs to come quickly to our industry.

bux93|19 days ago

PKI certificates weren't even intended for SSL, it predates even that.

X.509 was published in November 25, 1988 ; version 3 added support for "the web" as it was known at the time. One obvious use was for X.400 e-mail systems in the 1980s. Novell Netware adopted x.509.

It was originally intended to use with X.511 "Directory Access Protocol", which LDAP was based on. You can still find X.500 heritage in Microsft Exchange and Active Directory, although it's getting less over time and e.g. EntraID only has some affordances for backward compatibility.

hulitu|19 days ago

> Jesus christ, formal education needs to come quickly to our industry.

It just went away, upset. It might never come back.