There needs to be better support for self-signed certificates, or at least a CA that is free and doesn't have strings attached (looking at you StartSSL with payment required to re-issue a cert).
I would love to have certificates for all of my domains, but it simply isn't worth it to me for the 40 - 50 hits a month I get on those properties to pay for a cert, or go through the hassle of StartSSL and worry about having to pay if the next Heartbleed happens.
"The server certificate, if one is proffered by the alternative service, is not necessarily checked for validity, expiration, issuance by a trusted certificate authority or matched against the name in the URI."
In other words, the certificate presented is merely used to secure the connection against a passive attacker.
And all we'd have to do is sign a giant chunk of the security of the Internet to the entities who run the top level domains, which should be fine, because no way would the DOJ ever manipulate the DNS to accomplish a policy goal.
If the URI RFC mandated https://[fingerprint], I'd agree with you. But the TLD is the entity we trust with the responsibility of delegating domains in the juridical sense anyway.
If they say I own Google.com, I own it in every possible way, and I should be able to generate certificates for it. That's regardless of whether we use a CA model or a DNS-delegated one such as DANE.
I would be perfectly fine with a model where we store certificates directly in WHOIS, but that would be slower and less practical that just using DNSSEC, which is already deployed.
CA is useful only if it's in all major browser. If Mozilla started a CA, they'd have to convince Google, Apple, Microsoft and others that they're a trustworthy CA.
I guess it may be hard to get everybody's trust if you're running a CA as a side business.
11 comments
[ 2.5 ms ] story [ 37.2 ms ] threadI would love to have certificates for all of my domains, but it simply isn't worth it to me for the 40 - 50 hits a month I get on those properties to pay for a cert, or go through the hassle of StartSSL and worry about having to pay if the next Heartbleed happens.
"The server certificate, if one is proffered by the alternative service, is not necessarily checked for validity, expiration, issuance by a trusted certificate authority or matched against the name in the URI."
In other words, the certificate presented is merely used to secure the connection against a passive attacker.
Could you explain this in more detail?
If they say I own Google.com, I own it in every possible way, and I should be able to generate certificates for it. That's regardless of whether we use a CA model or a DNS-delegated one such as DANE.
I would be perfectly fine with a model where we store certificates directly in WHOIS, but that would be slower and less practical that just using DNSSEC, which is already deployed.
I guess it may be hard to get everybody's trust if you're running a CA as a side business.