Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Mozilla is between a rock & a hard place here, but there is no spin I think you can put on this story in which Mozilla stood up against abuse of trust

I'm not sure it's worth our energy to be so disappointed in Mozilla here. That "they're between a rock and a hard place" precisely is the spin within which they stood up against abuse of trust.

They have sent out a letter so far. One of your worries appears to be that it sets the precedent that companies who do what Trustwave did can expect (only) letters in the future. But (iirc, and perhaps even in the bugzilla thread) one of the stated purposes of the letter is to set the opposite precedent: to publicly warn commercial CA's that future bullshit will result in distrusting.

I happen to think Trustwave had plenty of warning without the letter, but this particular hard place is particularly thorny because Mozilla is such a central policy hub. That's a problem you touched on above, that we agree needs a fix, but it's the way things are today.

The other half of the hard place is that before Trustwave pulled this BS, they issued a whole lot of legit commercial certs to a predominantly innocent user population. And you know, they can and should all go acquire certs from someone else, but they can't do that overnight. So if we really want Trustwave to get distrusted, I feel like we should focus our energy on a) telling people that Trustwave sucks and urging them to migrate, and b) paying attention/effort to initiatives like the one you mentioned from MM.



I'm mostly with you. But Mozilla could issue a blanket moratorium on the issuance of CA=YES certs to external organizations; Verisign would, during the moratorium, only be allowed to issue chained CA certs for Verisign properties.

They could do that today. Nothing would break.

Then they could spend some time --- spend as much time as they like, really --- coming up with a policy that allows extraordinarily trusted companies to sponsor and sign subCAs.

But they didn't do that. It's not just that they only issued a letter; it's that the letter is comically weak.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: