Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs

Lol. It’s not a point to point protocol, and I know you know that.

knocks a pint into your glass Cheers, fellow traveler!

Seriously, I left all of this once to get a Buddhist Studies doctorate only to drop out (because of stress and life demands) a semester in…

That does remind me that I need to get Kali Linux running on this portable rasperberry pi though.

If you ever feel the urge to visit the Shambhala Mountain Center PM me first.

Thanks! I’m familiar with it from friends who have done retreats there (and I did a few levels of Shambhala training back in the day). I do retreats in Los Angeles, usually twice a year, with my teacher, Shinzen Young as well as short ones locally in the Bay Area.

So I notice that one of the conditions of Symantec’s rehabilitation is that they have to provide full logs of their issued certificates moving forward. If you have full logs going forward, would it not be easy to revoke their root CA in the future? You can program the browser to recognize previously issued certs, since you have the entire list of such certs – so that the internet doesn’t have to shut down.

For Symantec to hold the entire internet hostage is bad enough … but what’s done is done. On the other hand, if we don’t act to prevent future occurrences, then that’s just inexcusable.

So, which browser vendor do you work for in order to implement your genius ideas? Are you contributing volunteer code to Chromium or Firefox?

Wait, what? Okay, revoke individual certs, yes. But not the root. That would nuke millions and millions of collateral certs, wildcards, and at least tens of millions of domains. But you don’t revoke the root unless you want to a) bankrupt the offending company and b) force cross grades on every affected site and service.

And EV certs from a new vendor take manual, human certification. Reissuing 1 million EV certs because you revoked a root will take at least 20 million man hours to issue, and likely close to 50-100 million man hours to disseminate and install.

That is why we are so fuckin’ mad, but can’t just nuke the roots.

Obviously, you’re just not committed enough to doing the right thing. You’re just being complacent!

Practicalities don’t matter to some folks.

I am not being insulting, and this is not mean… But do you know how PKI works? Please don’t take this as a dogpile.

To be fair and step back, he probably doesn’t because most people really don’t. They also don’t understand what an ugly hack it and all of the CAs (and the whole system) really are. It’s a mess but it is the only working mess we have. That’s why Moxy’s plans failed. It is rather difficult to get the entire Internet to embrace anything new. It isn’t 1985 anymore (or 1995).

Hell, look at this story, which just came in. We (Mozilla in this instance) might manage to convince Microsoft to retire SHA-1. Miracles happen. This is the kind of coordination problem that I’m talking about for any changes.

!!!

Drinks on the house for all Moz contributors… If they ever figure out where I live.

Oh…we know.

Guys, I know how PKI works. Or more accurately, I know how it isn’t working. I’m a cryptography researcher. I publish actively. I don’t hide my name. I used to work for Microsoft in the cryptography group. Checking a whitelist is no harder than checking a blacklist, which theoretically already exists.

You want something that works? iMessage works. SSH works. PKI is not the only answer. Just because you’ve spent years working on it doesn’t make it worth saving.

Then you understand that it isn’t the encryption that is broken (well for other reasons it may be, but that is out of scope) but the management of keys and identity. IMessage and ssh do nothing novel to solve this except move the entire burden of that management to the end user. So what happens then? Centralized cert and key stores. And boom, you have a CA again.

Shit needs to change but revoking the biggest root–which is what you said you advocated–is insane.

my job would be much harder when all the Symantec root certs would be revoked suddenly - but sometimes “insane” is the way to go. Let the current system crash horrible and screaming and build something completely new.

Wanting to “watch everything burn” is a valid viewpoint. I just prefer to scratch that itch with books and movies

So please explain a practical transition plan on how to move browsers and operating systems, all at the same time and in stages, to a new system at the same time taking into account all of the different agendas of various corporations and entities (I’m ex-Microsoft too from the IE team back in the day).