> Yep. That's the system working. CA does something they shouldn't, we > find out, CA is no longer trusted (perhaps for a time). > > Or do you have an alternative system design where no-one ever makes a > mistake and all the actors are trustworthy? > > Gerv
Yes - as I said previously. Do the existing certificate checks to a trusted CA root, then do a TLSA DNS look up for the certificate PIN and check that *as well*. If you did this (and Google publish their SHA512 hashes in DNS) you'd could have had lots of copies of Firefox ringing back "potential compromise" messages. Who knows how long those certificates were out there (or what other ones are currently out there that you could find just by implementing TLSA). The more routes to the trust the better. Trusted Root CA is "all eggs in one basket". DANE is "all eggs in one basket", DNSSEC is "all eggs in one basket". Put them all together and you have a pretty reliable basket :) This is what I mean by working a security rating A,B,C,D,Fail - not just a "yes/no" answer. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
