Hacker News new | ask | show | jobs
by nly 4448 days ago
Mozilla should just spin-off their own CA, pricing the service fairly as a non-profit. It's not like they aren't the gatekeepers anyway.

Users don't trust Verisign or StartSSL, they trust whoever Mozilla, Microsoft or Google trust. Stop accepting new CAs in to the browser whitelist, start a CA for the public good with a true open source, full disclosure mentality. Why not?
2 comments
e12e 4448 days ago
[semi-cross posted from: https://news.ycombinator.com/item?id=7557764]

There was an interesting thread on the subject of starting a CA on the crypto-list last year ("How much does it cost to start a root CA ?"), see eg:

http://lists.randombit.net/pipermail/cryptography/2013-Janua...

http://lists.randombit.net/pipermail/cryptography/2013-Janua...

http://lists.randombit.net/pipermail/cryptography/2013-Janua...

And for good measure, on the subject of certs and trust, the thread after:

"another cert failure" (2011)

http://lists.randombit.net/pipermail/cryptography/2013-Janua...

link
mnx 4448 days ago
That seems kind of like putting all your eggs in one basket. I think the separation of powers is good, even if what it has produced right now is a bad situation.
link
nly 4448 days ago
Mozilla, Microsoft and Google are carrying the baskets. What you have now is N ways of getting compromised, because even the CAs you don't trust can issue certificates for your domains. To be honest, I'm being a bit tongue-in-cheek. I don't think Mozilla should really do this. I just think people should question this naive belief that the CA industry is out there to help the little guy paying ~$20 for a certificate for their blog or forum.
link