11 comments

[ 2.5 ms ] story [ 37.2 ms ] thread
There needs to be better support for self-signed certificates, or at least a CA that is free and doesn't have strings attached (looking at you StartSSL with payment required to re-issue a cert).

I would love to have certificates for all of my domains, but it simply isn't worth it to me for the 40 - 50 hits a month I get on those properties to pay for a cert, or go through the hassle of StartSSL and worry about having to pay if the next Heartbleed happens.

That's in this spec:

"The server certificate, if one is proffered by the alternative service, is not necessarily checked for validity, expiration, issuance by a trusted certificate authority or matched against the name in the URI."

In other words, the certificate presented is merely used to secure the connection against a passive attacker.

Why can't Google our Mozilla start their own CA? Free certs for everyone!
Because they would be sued by the huge companies that already run CAs.
Google can certainly afford to litigate, and it's unclear to me what they'd be sued over in any case.

Could you explain this in more detail?

Google: [vertical integration antitrust]. Bear in mind that the CAs are organized and some are themselves owned by gigantic companies.
That would be less secure than if we just went with DANE + DNSSEC, which you could start using today without permission from anyone.
And all we'd have to do is sign a giant chunk of the security of the Internet to the entities who run the top level domains, which should be fine, because no way would the DOJ ever manipulate the DNS to accomplish a policy goal.
If the URI RFC mandated https://[fingerprint], I'd agree with you. But the TLD is the entity we trust with the responsibility of delegating domains in the juridical sense anyway.

If they say I own Google.com, I own it in every possible way, and I should be able to generate certificates for it. That's regardless of whether we use a CA model or a DNS-delegated one such as DANE.

I would be perfectly fine with a model where we store certificates directly in WHOIS, but that would be slower and less practical that just using DNSSEC, which is already deployed.

CA is useful only if it's in all major browser. If Mozilla started a CA, they'd have to convince Google, Apple, Microsoft and others that they're a trustworthy CA.

I guess it may be hard to get everybody's trust if you're running a CA as a side business.

(comment deleted)