First step of such a phase-out plan could be UI - showing non-commercial automated CAs (@letsencrypt or anyone else doing it right) preferentially in a way that makes the site look more secure than legacy CAs.
-
-
Show this thread
-
From the other side: anyone with a CA business who doesn't want to be perceived as a scammer should be figuring out why customers are still using them & finding a legitimate way to benefit those customers rather than charging more $$ than
@letsencrypt does for lower security.Show this thread -
Being a commercial CA now is kinda like being AOL post-2000, still charging $25/mo for dialup. It's not a good look.
Show this thread
End of conversation
New conversation -
-
-
How can you automate verifying your ID and company number?
-
Talking about EV certs? Deprecate them entirely; they've been shown to be worse-than-useless.
-
For $100 or so you can incorporate a same-name entity in a different jurisdiction and get an EV cert that looks like it belongs to a well-known company.
-
Could do much better than the current DV but not like that. DV is as good as it gets right now. DV is terrible because the weak link *isn't even unauthenticated DNS*, it permits all kinds of verification schemes including insecure email to a list of addresses considered admins.
-
CAA does move it closer to being sane by requiring that CAs check a DNS record to see if they're allowed to issue a certificate, but it's still unauthenticated and it seems like it doesn't even need to be respected if they receive authorization to ignore it... (not 100% clear)
-
Can at least opt-out of a bunch of insecure authentication mechanisms via using CAA to limit issuance to Let's Encrypt but it does nothing to reduce *trust* in all those other essentially useless CAs... :\
-
We're using HPKP to limit trust to Let's Encrypt intermediates, their root, and the IdenTrust root cross-singing them + 5 of our backup pins... which is nice, but Chromium is removing HPKP and no longer accepting applications for static pins so... that's the end of that.
-
But doesn't the need to find a jurisdiction where you can register yourself as Google, reduces the number of fake Googles *in* *practice*. PS, I bet in most countries, registering a business named Google is TM infringement and sueable
- 3 more replies
New conversation -
-
-
What are the arguments against "make HPKP override the normal PKI checks and slowly transition over to trust-on-first-use?" One argument I got is that revocation is awful. Any others?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.