4 comments

[ 3.0 ms ] story [ 23.0 ms ] thread
There was one interesting question and answer:

Q: "I find that the reasons given in this thread[0] regarding a particular certificate revocation are highly unsatisfactory. Can you justify how this revocation aligns with the views expressed in "The CA's Role in Fighting Phishing and Malware" without resorting to "Microsoft asked us to and therefore we had to?"

A: "If we want to be a trusted CA we need to comply with the MS root program rules (and Mozilla/Google/Apple/etc... rules). If they want us to revoke a cert we have to do it, we don't really have a choice."

So do I get it right, that if MS or any other big company doesn't like my URL, site content etc. they can ask to revoke my certificate just like that? Wow..

0. https://community.letsencrypt.org/t/reason-for-revokation-of...

That's a serious flaw in their program. Wonder what it would take to resolve this
Well, the onus is on the wider tech community to hold each of the vendors to account for what they do and don't do.

There's a delicate balance of trust and cooperation between site owners, vendors, and CAs, where each can make demands and has to serve to a degree each of the others. In situations where this trust is broken by one party, the other two will often move to reject them.

An example of this is a CA being rejected by a vendor after they issue invalid certificates, but on the flip side, a vendor simply throwing a tantrum over a bad domain and pulling trust will leave them as the only browser that "doesn't work" with some number of sites, and that reflects badly on them and they will see fewer people use their products (imagine if only Mozilla ended up rejecting LE certs!).

That's a serious flaw in their program. Wonder what it would take to resolve this.