undefined | Better HN

0 pointsnordsieck1y ago0 comments

> Either way, this makes little sense overall. If a CA is trustable, it can be trusted to sign a certificate for any domain. And if it's not trustable, then you can't trust it for any domain.

That's a silly position to take.

When I lived with roommates, I trusted them. But I also locked my bedroom when I went out. Because there's no good reason to rely on trust when you don't have to.

0 comments

tsimionescu1y ago

It is given the design of the PKI and DNS. There's no relation between CA and the TLDs on the certificate being signed.

amluto1y ago

This is true, but it’s an old design that has been (in my opinion at least) obviously wrong since the very beginning of HTTPS. Microsoft could easily fix it, at least for clients that can manage to use an updated API.

tsimionescu1y ago

Microsoft has nowhere near the power to change the PKI and/or DNS. And it's not an API problem, it's a problem of where companies go to get their legitimate certs. If there are a lot of companies getting their certs for international TLDs from country CAs, or country TLDs from international CAs, then you have to wait for huge systemic changes before enforcing any kind of TLD-CA relationship.

account421y ago

Microsoft has absolute power about the restrictions they support in their root store.

1 more reply

j / k navigate · click thread line to collapse

0 comments

tsimionescu1y ago

It is given the design of the PKI and DNS. There's no relation between CA and the TLDs on the certificate being signed.

amluto1y ago

tsimionescu1y ago

account421y ago

Microsoft has absolute power about the restrictions they support in their root store.

1 more reply

j / k navigate · click thread line to collapse