undefined | Better HN

0 pointsgeofft7y ago0 comments

Mandatory CT does actually solve that: if a browser won't trust a cert without seeing it include a signed certificate timestamp from a trusted log, then the CA has to disclose certs, even if they're only targeting one user.

But most people don't have e.g. Expect-CT set up, so it's not clear it would help on a majority of sites.

(One reasonable option would be to require certs from DarkMatter, and really every CA going forward, to have SCTs in their certs, and enforce that with a flag in the root store. But if there's a concern about DarkMatter specifically, it's probably better to phrase a change to the root store policies that say "We won't accept CAs we just don't trust" instead of waiting for them to misbehave and then rescinding their membership.)

0 comments

isostatic7y ago

> it's probably better to phrase a change to the root store policies that say "We won't accept CAs we just don't trust" instead of waiting for them to misbehave and then rescinding their membership

Unless you can define the policies up front that's a very risky road to go down. Why refuse to trust DarkMatter, but not refuse to trust China Bank?

j / k navigate · click thread line to collapse

0 pointsgeofft7y ago0 comments

But most people don't have e.g. Expect-CT set up, so it's not clear it would help on a majority of sites.

0 comments

isostatic7y ago

> it's probably better to phrase a change to the root store policies that say "We won't accept CAs we just don't trust" instead of waiting for them to misbehave and then rescinding their membership

Unless you can define the policies up front that's a very risky road to go down. Why refuse to trust DarkMatter, but not refuse to trust China Bank?

j / k navigate · click thread line to collapse