Software vendors shouldn't list CAs as trusted when they prove they can't be trusted - but removing a CA from the trust store breaks things for innocent websites who just chose a crappy CA.<p>Every CA should be required to publish a signed, public list of every certificate they have issued that is currently valid; and no certificate should be considered valid if it isn't on a CA's public list of certificates.<p>That way, when a CA fucks up like this, vendors could remove their certificates from the root stores, but could grandfather in all their previous certificates so the CA's customers have a few months to get a certificate from a decent CA. We could even use the list to contact all the CA's customers and advise them of the upgrade deadline.<p>If this CA isn't removed from the root store, it sends a message to other CAs: You can issue bad certificates with impunity, and there will be no negative consequences.
Moxie Marlinspike gave a talk at DEFCON 19 about how broken the CA model is and suggested an alternative.<p>The talk - <a href="https://www.youtube.com/watch?v=pDmj_xe7EIQ" rel="nofollow">https://www.youtube.com/watch?v=pDmj_xe7EIQ</a>
The alternative - <a href="http://convergence.io/" rel="nofollow">http://convergence.io/</a>
<i>This event also highlights, again, that our Certificate Transparency project is critical for protecting the security of certificates in the future.</i><p>No! Certificate Transparency still relays on central authorities. We need to get rid of CAs. TACK + Convergence is the correct solution.
The CCA is so aware of its own vulnerability, it refrains from the use of SSL on its own page <a href="http://cca.gov.in/cca/index.php" rel="nofollow">http://cca.gov.in/cca/index.php</a> - no https here :)
> At this time, India CCA is still investigating this incident. This event also highlights, again, that our Certificate Transparency project is critical for protecting the security of certificates in the future.<p>What is there to investigate? If they had a proper system in place this should not require 'investigation'.<p>While I embrace the global infrastructure, it's a bit weird to give authority rights within a country that has a pretty broken legal system (re: Avnish Bajaj, etc).
It's because of incidents like <i>this</i> why I call our PKI a scam and a racket. The fact that this is even a thing that can ever happen points to massive, systemic problems in the trust model.
Maybe we need a browser add on that warns us when a shady/incompetent CA has signed the certificate of the current site we are on? As it sits today there is no repercussion for these terrible CAs that screw up like this.
The CA system is broken, so is BGP with routes being essentially hijacked by the word of mouth protocol. Wonder what the fixes or a reboot of the internet would look like.
I wonder if having your registrar be the only one able to issue you a cert for your domain would solve this. That way the user can verify that the cert was not only signed by a trusted CA but by a trusted CA for this specific domain.
I wonder if we can map <i>every</i> intermediate?<p>Obviously Certificate Transparency (or any public audit log to some extent, really) helps a <i>bunch</i> with this sort of thing.
> The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome.<p>Jesus Christ, the CA system is so broken.