(follow.agwa.name)

482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.286s | source

Show context

resters ◴[01 Dec 24 01:46 UTC] No.42285484[source]▶

The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.

replies(3): >>42285498 #>>42285693 #>>42289535 #

tptacek ◴[01 Dec 24 01:49 UTC] No.42285498[source]▶

>>42285484 #

This is something more akin to a client software bug than a WebPKI issue. Any alternative PKI scheme you could come up with would still be subject to Microsoft cutting deals.

replies(2): >>42286165 #>>42286184 #

8organicbits ◴[01 Dec 24 04:24 UTC] No.42286184[source]▶

>>42285498 #

Can you explain?

I think the parent is suggesting that users should be able to tune their trust stores. I'd imagine that trusting only the CAs that are in all the major trust stores (Google, Microsoft, Mozilla, and Apple) would be a reasonable policy. Few websites would choose a CA that falls outside that group.

replies(1): >>42286223 #

tptacek ◴[01 Dec 24 04:35 UTC] No.42286223[source]▶

>>42286184 #

Users can tune their own trust stores.

replies(1): >>42286261 #

8organicbits ◴[01 Dec 24 04:46 UTC] No.42286261[source]▶

>>42286223 #

Is there a way to do it that isn't tedious? I'm not familiar with tooling beyond the UI browsers offer, which doesn't match the experience I was trying to describe.

replies(2): >>42287346 #>>42297263 #

1. dadrian ◴[02 Dec 24 15:44 UTC] No.42297263[source]▶

>>42286261 #

The next version of Chrome introduces a whole UI for this at chrome://certificate-manager.

↑

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com