On Fri, 8 Dec 2017 16:43:48 -0700 Wayne Thayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The root CA is ultimately responsible for subordinate CAs it has > signed. I see a problem with that, as this is far from obvious. If a random person discovers a problem with a certificate it seems quite natural to go to the place that issued it. If you see a certificate issued by Microsoft then why would you believe that anyone other than Microsoft is responsible for that? (Add to that that in order to find out that it's ultimately Digicert that is responsible you'd have to first figure out that the root is "Baltimore Cybertrust", then figure out that this is a company that no longer exists and that the root has been bought by Digicert at some point.) IMHO we're seeing a very problematic practice here. On the one Hand CAs offer that companies can get their own "branded" certificates that are "issued" by them, on the other hand that's not really the case and all the responsibility is still with the CA. For the user - and also for potential reporters of security problems - this is obfuscating things. I'm mostly not concerned about the people following these things closely and are members of this list, but about random other people who happen to find problems. It surely seems beneficial for the certificate ecosystem to make sure that they can easily find the right place to report problems. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy