[8organicbits]

Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

[lokar]

They are not transparent because it is based on enabling sales.

[throwaway2037]

    > Microsoft seems to be casual about trusting CAs

Woah, that is a bold statement. Classic HN overreach. I am not here to shill for MSFT, but, in terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.

[8organicbits]

I'm very aware of DigiNotar, I wrote a blog post last year that discusses DigiNotar and even mentions Brazil/ITI [1].

A challenge for Microsoft is that they aren't transparent in their inclusion decisions, so we can only speculate why they chose to trust this CA. What gives you confidence that Microsoft is doing careful vetting?

In stark contrast, Mozilla publicly and extensively documented why they didn't trust this CA [2].

[1] https://alexsci.com/blog/ca-trust/

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=438825

[eschatology]

That bugzilla thread was quite a read! Thank you for sharing

[cookiengineer]

You are comparing a non publicly available trust chain (Microsoft's) with a public and transparent one (Mozilla's/Linux Foundation's) [1]

I don't see any reproducible builds for Microsoft Edge. Therefore, your statement is an assumption and nothing more. We can not trust Microsoft more because they are more proprietary.

[1] https://www.ccadb.org/

[lelandbatey]

> ... In terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

I don't think those two things have anything to do with each other. Living in Redmond for my entire life has mostly shown me that MS owns one of the best and most lucrative sales orgs and sales channels in the world. That sales channel means they can sell to governments better than nearly anyone one the planet, no matter what their security practices are like.

[anothernewdude]

> I am sure that MSFT carefully vets all CA additions.

I'm sure that Microsoft carefully ensure they're paid for all CA additions.

Given their monopoly there is no incentive for vetting.

[tialaramex]

I'm pretty sure there isn't a fee. Somebody from ISRG (the people who brought you Let's Encrypt) might be able to state categorically that there was no fee charged by Microsoft, obviously it's not free in practice to spin up a decent Certificate Authority, but that's not the same thing as Microsoft charging a fee.

For these government CAs my expectation is that they're a sort of quid pro quo and (wrongly) not seen as a security problem.

[tialaramex]

> I am sure that MSFT carefully vets all CA additions.

Are you? Why? For Mozilla the vetting process takes place in public, that's one purpose of m.d.s.policy so we can see what is or is not done and draw our own conclusions.

Each of the proprietary trust stores has an opaque process which unless you're a CA applicant you don't even know what they're asking for, much less what (if anything) they do with it.

These are for-profit companies, and this is a cost centre. The cheapest possible thing they could do is piggy back entirely on the public Mozilla process (which of course for this CA would mean rejecting)

The next cheapest option would be to allow senior management to override Mozilla's decisions for, you know, commercial reasons.

And yes, it would certainly be possible for them to have their own teams every bit as effective as the public process but entirely made up of employees and contractors. Weirdly though, although it's easy to run into people who worked for say, the Windows OS team, or XBox team, or Azure team, you don't run into ex-Microsoft opaque CA process people. One reason might be that they're all career professionals, never leave, never get downsized, maybe there are dozens of them. But the more likely reason is they do not exist.