Hacker News new | past | comments | ask | show | jobs | submit login

I'm not sure that you actually want to avoid punishing people for choosing crappy CAs. That causes moral hazard, because you're not risking anything yourself by choosing a crappy CA, you're just spreading the risk among everyone else on the internet, because to avoid punishing you, they're accepting certificates issued from a known bad actor.

Doing it this way is actually a good way to handle product differentiation, because generally people won't make browsing choices based on certificate brand name, but commercial website owners will choose a better CA if it means that CA is less likely to get de-certified.




On the other hand, you want to make sure CAs will keep disclosing problems like these when they become aware of them, or they will certainly do anything in their power to keep breaches silent to avoid a certain death of the company.


Well, that was kinda a big difference between Diginotar and Comodo. Diginotar got hacked, knew about it, then tried to mitigate without telling anyone. Comodo got hacked and disclosed what they knew ASAP. Diginotar was pulled from the trusted root stores and went out of business and Comodo wasn't.

There were probably other reasons for the differential treatment (the scope of the Diginotar hack was bigger, for example), but I think that a lot of them are essentially strong correlates of the disclosure policy (i.e. if you have other responsible security practices, you're more likely to have a good disclosure policy).


Once the death-of-the-company option is on the table, it gives the CA a reason to comply with any lesser punishment.

For example fines, changes to procedures, mandatory security audits, agreeing not to issue certain types of certificate etc - the CA is going to do their best to comply if the alternative is to be put out of business.

Whether we want browser vendors / an industry standards committee to have that much power is another matter, of course.


CA's already have to go through mandatory audits and the procedures they must follow are spelled out.

Unfortunately there's no real procedure you can put in place to prevent hacking, as the NSA discovered to their cost.


Excellent point. Relieving people of their responsibility to think about who they should trust makes it easier for the untrustworthy to operate.

If we told people "no matter who swindles you, we'll make you whole", everybody would invest in ponzi schemes.


Your average person probably picks their CA because it's part of their hosting company, who probably resells someone else's CA largely because they're cheap.

You'd be punishing a lot of people because they don't know better for something that really should be built into dns and http.


This just moves the problem down one level and doesn't change anything. If you're a host you only have an incentive to choose a trustworthy CA if by choosing a lesser CA you're risking a significant problems for their users (who will switch hosts when they have a really bad experience and suddenly can't take credit cards anymore).




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: