|
Somebody has to decide who is trusted. Mozilla (a not-for-profit) thinks that it suits their mission best if they're deciding, at least when it comes to their browser, Firefox, by default. If you think somebody else should decide - maybe the Government of Italy, or the Queen of England, or Donald Trump, or you personally, then here's a few questions for your new Root Trust Programme: 1. Why? At least Mozilla's rationale is related to a fact, they make Firefox, so it trusts whatever they decide, what would be the rationale for why the Pope gets to decide? 2. Are they actually doing it? This is largely a tedious responsibility. But, if you decide to slack off, every Firefox user gets screwed. So, you know, you're going to need to put those hours in. Forever. I've lost count of how many people or organisations decided they could do better and didn't last a year. 3. Where's the transparency? The main way Mozilla stands out from the other big trust store operators (Apple, Microsoft, Google, and arguably Oracle) is that they're a not-for-profit and so they operate transparently. Your contributions are welcome at m.d.s.policy https://groups.google.com/forum/#!forum/mozilla.dev.security... where we are currently discussing the minutiae of Certificate Policy documentation. If your alternative is less transparent, how is that not worse? |
I don't know how involved you are, but to a lay observer this story seems like Mozilla's policies are entirely black and white, to the benefit of nobody (except perhaps to reduce work I suppose, which is reasonable, but not really a valid reason in terms of security)
Is there no tiered approach to risks? Hell, in this situation it seems like more harm and risk will have been created by the rush to reissue certificates that would have been caused by this theoretical security vulnerability.
Edit: Actually, on further reading, it seems like the issue is more that Actalis didn't correctly invoke their right to this discretionary power?