[yonixw]

I think the steel man version of the argument is: "You showed that there is no effective monitoring or transparency that me as a user can get, and as such, Where is the trust come from. What fundamentally causes Mozilla (or any) to trust CAs more than randomly distributed certificates."

[stevewatson301]

The CA/Browser forum's requirement and enforcements such as this one (and against DarkMatter, CNNIC and the likes) give me the required confidence to trust them, even though I'd agree it's not a perfect process.

Your average user is unlikely to begin to understand why a CA would be trustworthy, and a web of trust model only works for social situations but not for certificate distribution.

[tremon]

"A moose once bit my sister. Therefore all meese must be sacked".

I have trouble seeing this as a steeled version of anything. "People have uncovered a flaw in the system, therefore the entire system is unfit for purpose" does not really make a compelling argument. It displays selection bias, hasty generalization, nirvana fallacy, and something about babies and bathwater.

[FeepingCreature]

If people have "uncovered a flaw", but there is reasonable expectation that the flaw is very widespread and broadly ignored, then there is a reasonable suspicion that the flaw is being weaponized in this case. This is why in many legal systems it is in fact a valid defense to note that the law you are being prosecuted under is not being broadly applied, implying state caprice and corruption.

[yonixw]

> uncovered a flaw in the system

I will argue it is not the a flaw in some random aspect of the system, but the main propose of the system. Which is to vet companies they trust to distribute it through CA signing.

Do you think I will buy from a restaurant after finding they had expired food? Good food is the reason I'm there in the first place.

[pas]

CAA records and CT logs work, do browsers check them?

I know nobody likes DNSSEC, but DANE works too :)

[Avamander]

DANE works on the assumption that DNSSEC is secure, but it's just an another PKI that's way worse and less transparent.

[xorcist]

How so?

DNSSEC is a PKI that follows DNS delegation, and no CA can issue certificates out of scope by definition.

That alone should be enough to consider it a strictly better subset of the browser CA PKI model.

[Avamander]

> DNSSEC is a PKI that follows DNS delegation, and no CA can issue certificates out of scope by definition.

Sure, and with that you are forced to trust your name servers (and/or the registry's) and your TLD's and the roots'.

All that with little choice in the matter, and little to no transparency into the process.

Just one example - if your TLD leaks their keys, that's sufficient to forge all the replies a middleman would need and nobody would really notice.

With WebPKI you can use CAA records and Certificate Transparency logs, plus you can get some extra assurance from the fact that they have to comply with the policies set by independent trust stores.

> That alone should be enough to consider it a strictly better subset of the browser CA PKI model.

It's a subset that leaves out the parts that would make it better than WebPKI. Right now it just complements WebPKI, at best.

[xorcist]

If the TLD leaks their keys, and an attacker can impersonate a registrar, you are screwed today. That's on top of the possibility that the CA -- no, any CA -- leaks their keys.

CAA and CT are absolutely wonderful initiatives and do a lot to keep the creaky CA PKI usable. But that's on top of the domain registry which underpins everything.

The registry control ownership of domains. With that comes an indirect power to control who can get domain validated certificates issued. Then on top of that we also have to trust the CA who only do the actual issuing.

That's just strictly worse for no upside other than historical reasons.

Look at the most popular protocols for domain issuance. It's variants of a simple theme, store-and-forward signed ascii messages. It's crypto every step of the way. Yet most of the large TLDs manage with less screwups than many of the CAs.

In my anecdotal experience both types of institutions are manned with very competent people, but I would not hesitate between the ccTLD and the CA which one to trust if given the choice.

[Avamander]

> But that's on top of the domain registry which underpins everything.

Everything but trust. A registry lying to issue certificates for its domains will become visible real quick. If CT makes "creaky WebPKI usable" then DNSSEC is just unusable.

> Yet most of the large TLDs manage with less screwups than many of the CAs.

Hard to screw up what you don't have. Even if a bunch do implement DNSSEC, nobody has really trusted them with the task in a way that it'd actually matter.

TLD operators can't even mandate the use of DNSSEC by registrars, requiring audits is lightyears away in comparison. WebPKI at least does that.

Nobody in their right mind would be claiming an opaque system with zero oversight is somehow better for trust, than the alternative.

[pas]

It's cryptographically signed. it can be validated. browsers can implement it if they wish.

I mean it's not like you need it for every HTTP request, or not like DNS is slow.

yes, there are potential risks. keys can be leaked. just as in any other scenario.

[Avamander]

> It's cryptographically signed. it can be validated. browsers can implement it if they wish.

Valid != trustworthy.