Add Honest Achmed's root certificate (2011) (opens in new tab)

(bugzilla.mozilla.org)

73 pointstimothyg2y ago25 comments

25 comments

For a long time, I've argued we need leaf certificates to be double signable. That way there can be two chains of trust for a website. Then dropping a CA doesn't matter much, since all serious parties should have multiply signed paths to various roots of trust. Hence we solve the problem of CAs becoming to big to fail.

The current way cross-signing works is almost an accident, and only works for intermediate certificates. Because the 'signing cert' is looked up by name. An intermediate cert can be published twice with the same name, same key, but different signatures and signing cert. Hence doing this for a leaf certificate would mean 'just get two certificates'.

saurik2y ago

I see what you meant--having two for redundancy--but I was much more excited by the idea of having two where both had to be valid, as getting two organizations to issue you a bogus certificate is going to be a hell of a lot harder than getting one (not impossible, but often an entirely different kind of attack). Maybe we require three and at least two have to be valid, providing the benefits of both angles? ;P

rocqua2y ago

Perhaps have this go together with an Extended Validation certificate?

voz_2y ago

I never find this kind of stuff funny... it's more snark than humor. It's also got a weird racial tinge on the tiresome trope of a somewhat distrustful middle eastern laborer, which makes it gross.

antonvs2y ago

How is he somewhat distrustful? He’s Honest Achmed, it’s right there in the name. And the application is certainly very honest.

snapplebobapple2y ago

This is the same logic i use to disallow microsoft on my network. You need to at least be regular size or get hard to be on my network..........

Dalewyn2y ago

When all you have is a hammer, everything looks like a nail.

voz_2y ago

Nah bro, google "Achmed". Top search is "Achmed the Dead Terrorist".

Also, there's a lot of racist nails lying around, so being a nice strong anti racist hammer is not the worst thing I've been accused of.

hkt2y ago

Classic of the genre.

I remember around the time of the diginotar horrors looking at DANE and DNSSEC. As I understand it, DANE still isn't supported by browsers, and DNSSEC is still in a pitiful state.

tptacek2y ago

DANE is even worse than the CAs in this regard. Nobody trusts the CAs, so they all have to record all their issuances in a transparency log. If a CA misissues, the browsers will kill it (as has happened with some of the largest CAs). There's no way to revoke a misissued DNSSEC signature and there's no transparency log for DNSSEC, nor will there ever be, because the browsers can't force DNS registries to implement it the way they could force CAs.

hkt2y ago

Fair point. I'd honestly not considered the flaws of DNSSEC and how they play with DANE.

Another day in tech, another deep sigh.

cornholio2y ago

DANE is a great idea in theory, botched by a bad practical implementation and low deployment (how much of that is related to the influence of the CA mafia is left as an exercise to the reader). There is some hope for the future: https://www.sidn.nl/en/news-and-blogs/new-opportunity-for-da...

phnofive2y ago

Contemporary discussion, nearly twelve years ago:

https://news.ycombinator.com/item?id=2463762

jwilk2y ago

(114 comments)

Also:

2016: https://news.ycombinator.com/item?id=10839315 (68 comments)

2017: https://news.ycombinator.com/item?id=15838324 (10 comments)

userbinator2y ago

Inclusion policy is here

12 years ago, that meant something different.

ThePhysicist2y ago

Seems quite racist to me using the stereotype of the middle eastern shady used cars dealer? Do we want such content here (I'd say no)?

justsomehnguy2y ago

> Seems quite racist to me

So if it was Honest John you would be okay with that?

> Do we want such content here (I'd say no)?

You have 'flag' and 'downvote' buttons for this.

snapplebobapple2y ago

All johns are honest, it is what gets them in trouble with the vice squad....

Thorrez2y ago

I don't think there's a downvote button for posts.

1 more reply

kimi2y ago

So the ACME protocol is a play on Achmed?

awestroke2y ago

How much does an audit cost? How much work would it be to get Honest Achmeds root cert added to all major OSs and browsers?

labster2y ago

Only 11 years later, Elon Musk started selling blue check marks on Twitter. Achmed was ahead of his time.

biorach2y ago

Please, "Honest Elon"

awestroke2y ago

They were already meaningless

j / k navigate · click thread line to collapse

25 comments

rocqua2y ago

saurik2y ago

rocqua2y ago

Perhaps have this go together with an Extended Validation certificate?

voz_2y ago

I never find this kind of stuff funny... it's more snark than humor. It's also got a weird racial tinge on the tiresome trope of a somewhat distrustful middle eastern laborer, which makes it gross.

antonvs2y ago

How is he somewhat distrustful? He’s Honest Achmed, it’s right there in the name. And the application is certainly very honest.

snapplebobapple2y ago

This is the same logic i use to disallow microsoft on my network. You need to at least be regular size or get hard to be on my network..........

Dalewyn2y ago

When all you have is a hammer, everything looks like a nail.

voz_2y ago

Nah bro, google "Achmed". Top search is "Achmed the Dead Terrorist".

Also, there's a lot of racist nails lying around, so being a nice strong anti racist hammer is not the worst thing I've been accused of.

hkt2y ago

Classic of the genre.

I remember around the time of the diginotar horrors looking at DANE and DNSSEC. As I understand it, DANE still isn't supported by browsers, and DNSSEC is still in a pitiful state.

tptacek2y ago

hkt2y ago

Fair point. I'd honestly not considered the flaws of DNSSEC and how they play with DANE.

Another day in tech, another deep sigh.

cornholio2y ago

phnofive2y ago

Contemporary discussion, nearly twelve years ago:

https://news.ycombinator.com/item?id=2463762

jwilk2y ago

(114 comments)

Also:

2016: https://news.ycombinator.com/item?id=10839315 (68 comments)