On Tue, Apr 14, 2015 at 3:36 PM, Gervase Markham <g...@mozilla.org> wrote: > Yep. That's the system working. CA does something they shouldn't, we > find out, CA is no longer trusted (perhaps for a time). > > Or do you have an alternative system design where no-one ever makes a > mistake and all the actors are trustworthy?
No, but it would make sense to require that sites be validated through a single specific CA, rather than allowing any CA to issue a certificate for any site. That would drastically reduce the scope of attacks: an attacker would have to compromise a single specific CA, instead of any one of hundreds. IIRC, HSTS already allows this on an opt-in basis. If validation was done via DNSSEC instead of the existing CA system, this would follow automatically, without sites having to commit to a single CA. It also avoids the bootstrapping problem with HSTS, unless someone has solved that in some other way and I didn't notice. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform