13 comments

[ 3.7 ms ] story [ 46.3 ms ] thread
Why even allow surveillance firms to be CAs in the first place?
Who decides whether anybody is allowed to be a CA? Do they have your interests at heart?
The article presents this as some kind of difficult decision, but doesn't adequately explain why this should result in anything other than an answer of "no", with a side order of "hell no". Mozilla is under no obligation to add any particular organization to its list of trusted root CAs, and users rely on it for security. Some bizzare notion of "fairness" to a known bad actor doesn't seem like a remotely strong argument to me.

Play stupid games, win stupid prizes.

The rules are the rules. They want to follow the rules. If they don't follow the rules, they'll be making an exception. What's the point on having rules if you make exceptions?
Rules reduce expense, leaving resources to deal with exceptional cases. Applying rules to exceptional cases makes a mockery of both the rules and the organization applying them.
Who's to say what an exceptional case is?
The facts of the case say, all by themselves.

It requires attention by the people applying the rules to recognize the facts, but paying attention is the reason to have people in the loop. Any machine can be corrupted.

Because most of the time the rules are in effect, except for the exceptions.

Rules exist for the purpose they serve, functions they allow to be easier and cheaper. Rules are not made so that rules have been made.

While I agree with Mozilla's decision, the reason that there are rules is so that it isn't arbitrary. Who is to say who is trustworthy? What if Mozilla wants to charge a fee or else they will remove someone?

Those circumstances would easily fall under the purpose they serve.

Yes, they should be troubled by whether they should even bother to explain why they have rejected it, and removed the QuoVadis authorities.

Agonizing over whether to let them in suggests they have let in other questionable entities. "Fairness" is a smokescreen. Nobody honest needs a certificate from a dodgy authority, and nobody with a certificate from a dodgy authority deserves benefit of doubt.

it's a recipe for disaster :(

there are some standards which companies have to comply with in order to be considered a "trustworthy" provider (e.g. for CA's)

https://www.etsi.org/technologies/digital-signature/certific...

I doubt that DarkMatter has any of this (not that this would reduce the risk but it could be used as an argument by Mozilla considering they're stuck between a rock and a hard place.

... Hurries to delete QuoVadis and Chinese gov authorities from my Firefox trusted lists.

Seems like I did this a few years back, on a previous system.

I just did this on my work laptop; is there a way to replicate my certificate lists (or, at best, the deltas)?

> Chinese gov authorities

How would I identify these?