← Back to context

Comment by ocdtrekkie

2 days ago

Realistically there's no reason except Google retaining centralized control of the Internet for there to be a specific group of trusted CAs that meet Google's arcane specifications which can issue certificates the entire world trusts.

Your registrar should be able to validate your ownership of the domain, ergo your registrar should be your CA. Instead of a bunch of arbitrary and capricious rules to be trusted, a CA should not be "trusted" by the browser, but only able to sign certificates for domains registered to it.

16 comments

ocdtrekkie

Reply
tptacek  17 hours ago

If your concern is breaking Google's stranglehold on the web, why would Google ever implement DANE? (They probably won't, for other reasons they've already stated, but I'm trying to understand your logic).

  • ocdtrekkie  17 hours ago

    They wouldn't and that is part of the problem. We are stuck with a fragile and insecure certificate strategy because the existing strategy allows Google significant control of the ecosystem.

    The "I support shorter lifetimes so this all comes crashing down" comment I made earlier is arguably a bit facetious, but I do think the PKI wonks in the CAB are pretty much accountable to noone until they break things badly enough that their bosses have to pay attention to the problem.

    Antitrust enforcement remains the fix here.

phillipseamore  2 days ago

s/Google/Apple, Google, Microsoft, and Mozilla/

  • ocdtrekkie  2 days ago

    Not in any realistic way, no. Because Chrome is by far the majority of the market, so what Google ships is what is available on the web. If Google unilaterally decides it is going to distrust a CA, it doesn't really matter who else does or not, the CA is dead.

    Not that the other parties are that independent anyways: Microsoft's browser is a Google fork, and is wholly dependent on it. Mozilla's entire funding is Google. Apple is arguably the only somewhat independent party here, but that multibillion dollar annual search deal... let's say it incentivizes collaboration.

    • mixdup  1 day ago

      Edge may be a fork of Chromium but they have the capability of shipping whatever roots they want or setting whatever trust policies they want

      And the push-down in certificate age is, or at least was at the beginning, a push from Apple. The others have come around/along for the ride