Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> it'd be justification for removing Symantec's CA certs from browsers

More than half of the CAs have publicly violated trust at some point. The governments of the US and China, who are arguably the biggest threats to HTTPS, still have CAs.

While I agree with you wholeheartedly, it doesn't look like either incompetence or malice vis a vis security are substantial enough justifications for the browser makers to pull the plugs here.



Can you point to USG or Chinese CAs that publicly mis-issued or used certs? CNNIC comes to mind and they've been removed. Which others were you thinking about?


I'm not aware of any; I was just referring to the evident more general contempt for security.


In other words, no USG or remaining China CA has violated the CA guidelines and requirements publicly.


I'm not sure what you are suggesting - that the CA guidelines need to be changed? Instead of the CA system being scrapped?


CNNIC did not mis-use or mis-issue certs, but issued a cert to an Egyptian company which mis-used it, iirc.


Uh, issuing a CA cert to the Egyptian company was the very definition of mis-issuing a cert!


No, the definition of mis-issuing a cert is when you issue a Google cert to someone who isn't Google. Not doing due diligence on what people to whom you've issued a cert are doing with it is a little different.

This is just semantics, though. I think everyone agrees they done bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: