Hacker News new | ask | show | jobs
by 234213wefsdf 2972 days ago
This is absolutely insane, and Microsoft really has no position to make these demands. Does McDonalds have the right to get your drivers licensed revoked? (Even if you say... use the drive thru to steal mcnuggets?)

Hell no, and neither does microsoft.
2 comments
muizelaar 2972 days ago
Microsoft runs a root store. That gives them more leverage over the CAs than McDonalds has.
link
ethbro 2972 days ago
I'd be curious what would happen if the "too big to fail" issuers pushed back against this.

Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...

In the broader sense, this is one downside of the shift towards Lets Encrypt and CAs being more interchangable: increased power of the root stores relative to them.

Sometimes that's good, sometimes it's evil.

link
rphlx 2967 days ago
> Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...

In small-scale disputes MS (and other browser vendors) would not have to nuke an entire large CA to get their way. In principle they could just blacklist the individual certs/names, leaving the CA's other certs alone.

That ability/implied threat probably does mean that the CAs tend to comply with MS piracy/copyright-related revocation requests, because refusing to comply would piss off MS (and possibly law enforcement) without actually stopping them from getting their way by other means.

link
voltagex_ 2972 days ago
Sidenote to this: if you want to sign a Windows driver (and on XP+, you do), you can only use Microsoft approved CAs.
link
solarkraft 2972 days ago
Could MS not ultimately stop honoring said vendor's certificates?
link
tialaramex 2972 days ago
Yes, in the extreme case, Microsoft would be able to issue an urgent security update whose only purpose was to remove this CA from the Schannel trust store. The effect would be that IE, Edge, Chrome and most other SSL/TLS applications on Windows ceased to trust those certs. That's obviously really drastic, but they could certainly do it. (Firefox and various Free things wouldn't be affected because even on Windows they don't use Microsoft's trust store)
link