Mozilla wants CAs to revoke 30 random certificates per year (opens in new tab)

(groups.google.com)

45 pointsmirages1y ago34 comments

34 comments

> Would a CA be allowed to pre-notify customers whose certs were randomly selected and {pre/re}-issue them replacements?

If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.

> The point is that right now revocation is so painful that it’s causing CAs to side with subscriber convenience over the integrity of the web PKI. Sampled, controlled revocations let us identify points of pain before they have security implications, and motivate Subscribers to prepare their systems—whether through automation or not, up to them, I’m not their dad—to tolerate on-time revocation. We care about the likely outcomes of automation, such as tolerance of short revocation or expiry timelines, really, but if BigSlowCo wants to staff a 24-hour cert maintenance squad such that they don’t (successfully) pressure their CA into blowing revocation deadlines, that’s their opex choice. Directly evaluating ecosystem capability around prompt revocation is the only way I can think of to identify areas of danger or weakness before they become issues for the web.

This is like testing the fire extinguishers.

alyandon1y ago

That is a pretty breathtaking example of ivory tower thinking if there ever was one. I really just don't know what else I can say about that kind of proposal.

likeabatterycar1y ago

To put things into perspective, the people behind the browser with < 2.5% market share are acting like they have the biggest swinging dick in the room, and proposing policies with authority, that could potentially screw over 100% of the internet. Think about that for a minute.

The reality is the CAs could tell Mozilla to go pound sand and they would have no recourse. Is there not a governing body for certificate policies with voting members?

CA trust should be handled at the OS vendor level. Mozilla having its own trust anchors is a relic of the past. If CAs refuse to comply, they at worst inconvenience 2.5% of their customers temporarily until they find a better browser.

agwa1y ago

Google Chrome also takes a hard line when it comes to revocation requirements, and Apple wants to limit certificate lifetimes to 45 days. Although neither have stated a position on random revocations, they are directionally aligned with Mozilla and you will be disappointed if you expect either of them to prioritize server operator convenience over the security of their users.

As for Microsoft, they are simply asleep at the wheel, trusting terrible CAs that do things like misissue a google.com certificate <https://bugzilla.mozilla.org/show_bug.cgi?id=1934361>.

3 more replies

ForHackernews1y ago

>CA trust should be handled at the OS vendor level.

Who's the "vendor" for Linux? IBM?

The outcome of this idea is Google & Microsoft can MITM all internet traffic.

2 more replies

nimish1y ago

This is classic "we don't have a purpose so let's cause problems" thinking. WTF!!

likeabatterycar1y ago

It's not even the most insane suggestion in the thread. That would be the proposal to require ACME for all certificates. So all your appliances with manual cert installation and devices without direct connection to the internet would break.

gruez1y ago

>That would be the proposal to require ACME for all certificates. So all your appliances with manual cert installation and devices without direct connection to the internet would break.

Technically ACME supports challenges that work without "direct connection to the internet", eg. DNS.

hulitu1y ago

Better make any certificate expire after 20ms. Slow internet ? Bad luck. /s

Habgdnv1y ago

And what about revoking the certificate of mozilla.org 30 times instead?

agwa1y ago

Their certificate will be automatically replaced 30 times and literally no one will notice or care?

Spivak1y ago

I think Roman Fischer in the thread has it right, 30 certs is a single drop of water the Atlantic. Like there's no wink wink necessary, at that scale it would be flatly irrational to do anything at all to handle being one of these revocations. We're taking about a roughly 0.00001% chance that it's you. Forget some dumb cert revocation logic I would play Russian Roulette with those odds.

But on the flip side those 30 unlucky souls are gonna be pissed. There's so many other less disruptive ways you could do this.

fancyfredbot1y ago

1 in 100k chance of taking down Amazon for say a day means the expected cost to them would be 140k per year based on their daily revenue. So in fact it's worth them hiring someone full time permanently to handle these revocations...

agwa1y ago

Responding to revocations can be automated, and mature organizations like Amazon are presumably already doing that because revocations can already happen unexpectedly for reasons outside their control.

tiffanyh1y ago

Why don’t they revoke the certificate for a special-use domain, like example.com.

As opposed to 30-random entities.

https://en.m.wikipedia.org/wiki/Special-use_domain_name

SpicyLemonZest1y ago

The goal is to ensure not just that the CA is capable of performing the revocation, but that the CA's customers are capable of accepting it and won't demand the timeline be extended. (As they routinely do today.)

DuckConference1y ago

I think the garbage CAs that want to delay certificate revocation way beyond requirements are numerous enough that this proposal won't go ahead. Much easier for them to just do nothing and hope they won't be the next Entrust.

workfromspace1y ago

https://archive.is/ZpXIR

seventytwo1y ago

Why though? What’s the problem this solves?

13171y ago

that's just rude

otabdeveloper41y ago

Good lord, the PKI infrastructure is a completely batshit clusterfuck.

j / k navigate · click thread line to collapse

34 comments

ForHackernews1y ago

> Would a CA be allowed to pre-notify customers whose certs were randomly selected and {pre/re}-issue them replacements?

If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.

This is like testing the fire extinguishers.

alyandon1y ago

That is a pretty breathtaking example of ivory tower thinking if there ever was one. I really just don't know what else I can say about that kind of proposal.

likeabatterycar1y ago

The reality is the CAs could tell Mozilla to go pound sand and they would have no recourse. Is there not a governing body for certificate policies with voting members?

agwa1y ago

As for Microsoft, they are simply asleep at the wheel, trusting terrible CAs that do things like misissue a google.com certificate <https://bugzilla.mozilla.org/show_bug.cgi?id=1934361>.

3 more replies

ForHackernews1y ago

>CA trust should be handled at the OS vendor level.

Who's the "vendor" for Linux? IBM?

The outcome of this idea is Google & Microsoft can MITM all internet traffic.

2 more replies

nimish1y ago

This is classic "we don't have a purpose so let's cause problems" thinking. WTF!!

likeabatterycar1y ago

gruez1y ago

>That would be the proposal to require ACME for all certificates. So all your appliances with manual cert installation and devices without direct connection to the internet would break.

Technically ACME supports challenges that work without "direct connection to the internet", eg. DNS.

hulitu1y ago

Better make any certificate expire after 20ms. Slow internet ? Bad luck. /s

Habgdnv1y ago

And what about revoking the certificate of mozilla.org 30 times instead?

agwa1y ago

Their certificate will be automatically replaced 30 times and literally no one will notice or care?

Spivak1y ago

But on the flip side those 30 unlucky souls are gonna be pissed. There's so many other less disruptive ways you could do this.

fancyfredbot1y ago

agwa1y ago

tiffanyh1y ago