I sometimes wonder why we don't just skip the CA layer entirely and let the browsers be the CAs. Buy a "mozilla cert" and an "IE cert" and a "Chrome cert", and all the derivatives of them can hitch a ride based on that. It would fund browser development and eliminate the steaming pile of misplaced trust that is the PKI system.<p>Sometime last year I deleted my CA certificates because I finally realized I'm never going to actually audit all of the certs in there, and I <i>know</i> there are confirmed bad actors among them, so I shouldn't give myself a false sense of security.
We've got a real too-big-to-fail going on here. If a little company screwed something up this badly they'd be dead. But when one the size of Symantec screws up - oh well they've got too many customers for us to revoke their signing privileges.<p>It's a ridiculous system and fwiw, it shouldn't be the security companies (though that's being very polite to Symantec) that grant certificates. It should be notary publics (a business all about assurance of human identity) using a physical appliance.<p>Or, admit we don't care and ditch the entire system for something based on bailing wire and chewing gum, because that's roughly what we've got now.
Wouldn't a course of action be to forbid Symantec from letting their partners issue certificates using their intermediate CAs? That would probably mean that Symantec would have to pay compensation to their partners for being forced to breach their contract.
When is Google / Mozilla going to just blacklist them as a CA for anything going forward? This seems like a thing where they'd be lucky to give you a single warning as this could literally get people killed due to oppressive regimes doing MiTM.
i like the wording in Symantec's press release: "Symantec has learned of a possible situation..."<p>so, let's not be hasty. this isn't a security problem. it's just a "possible situation".<p>hell, we've all been in situations before. there's nothing inherently wrong with a situation, even if it took place in a location named "test, Korea". i mean, hey, we've all taken tests. some of us have even been in test situations. it's not a problem.<p>you can just go now. this is not the situation you're looking for.
Looks like there's more:<p><a href="https://crt.sh/?id=63552608" rel="nofollow">https://crt.sh/?id=63552608</a> with commonName: jotestintermediate.bbtest.net
"Symantec caught once again improperly issuing illegitimate HTTPS certificates"<p>So I wonder what the correct way to issue illegitimate HTTPS certificates is?