Mozilla Asks All CAs To Audit Security Systems 77
Trailrunner7 writes "Already having revoked trust in all of the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates."
Re:Two factor, three factor (Score:2, Interesting)
Man, you are a broken record. We already talked about this a few days ago, but you are stubborn. I talked nicely then, but you really should leave security to people who have a clue. My karma can take the flak, so I'll be caustic.
Who can trust a CA? Why would you trust a CA? How did a CA earn your trust?
You trust CAs because the server you are talking with, by itself, can't confirm nor deny it is who it says it is: you need a third party and you said it yourself a few lines below. You trust those CAs because it's an audit-only club, and the friggin' web browser's company checked it. I trust those approved CAs because I trust the company backing up my web browser (if you don't, you lost the game right at the beginning). I use Firefox a lot more than Lynx because it's usable, go figure: they checked those third parties and said they can be trusted. End of story.
Mozilla, it's time to own up. This is a bunch of nonsense. Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly, don't bother with the 'lock' icon and start working on some real innovation - how to do trust by having distributed lists of fingerprints, signatures, whatever. Something that doesn't rely on a signing authority at all.
So, I enter americanexpress.com and a web page tells me "This is a self-signed certificate, nobody backs it up but I promise I am who I am". Riiiiight. Let's suppose they even give me a fingerprint or signature or whatever... That means squat: a certificate from an impostor also has a fingerprint. With what/whom do I check it, then?
A distributed list of fingerprints, signatures, whatever"
How adorable, you trust in a bunch of lists. Or, I should say, a third party. How you can make this work without thinking this as a distributed CA schema instead of a self-signed certificate eludes me. If there are plenty of lists and your certificate gets compromised, how can you change them in a timely manner? It's like those corrupt files on eMule that never vanish. If everyone and their mothers can add lists, I just need to control N lists (either by hacking or creating those myself) that say your certificate is false and it's game over. The only way I can trust those "lists" is if they audit with someone I or Mozilla trust, and we are back to square 1 with the system that's currently in place, but instead of adding a single CA, you add more that back your certificate. I told you I agree with that idea of multiple CA validation (I heard some people call them notaries, it's the same crap with different smell), yet on your previous post you told me that's not a CA or how web browsers should handle it.
You want to do real innovation instead of looking at hiding address bar from the users [pcworld.com]? Do this instead.
So that's why that company died five years ago! They didn't listen to your suggestions! Oh, wait, I met two fellas from Mozilla and they still make ends meet...
I won't bother replying or seeing responses. It irritates me to hearing the same bad idea twice.