from Hacker News

Mozilla wants CAs to revoke 30 random certificates per year

by mirages on 1/10/25, 2:54 PM with 34 comments

  • by ForHackernews on 1/10/25, 4:49 PM

    > Would a CA be allowed to pre-notify customers whose certs were randomly selected and {pre/re}-issue them replacements?

    If this is permitted, then I see no problem with this plan. It will force people to do what they already should be doing: have a plan in place to rotate certificates in case of revocation.

    > The point is that right now revocation is so painful that it’s causing CAs to side with subscriber convenience over the integrity of the web PKI. Sampled, controlled revocations let us identify points of pain before they have security implications, and motivate Subscribers to prepare their systems—whether through automation or not, up to them, I’m not their dad—to tolerate on-time revocation. We care about the likely outcomes of automation, such as tolerance of short revocation or expiry timelines, really, but if BigSlowCo wants to staff a 24-hour cert maintenance squad such that they don’t (successfully) pressure their CA into blowing revocation deadlines, that’s their opex choice. Directly evaluating ecosystem capability around prompt revocation is the only way I can think of to identify areas of danger or weakness before they become issues for the web.

    This is like testing the fire extinguishers.

  • by alyandon on 1/10/25, 4:29 PM

    That is a pretty breathtaking example of ivory tower thinking if there ever was one. I really just don't know what else I can say about that kind of proposal.

  • by nimish on 1/10/25, 5:19 PM

    This is classic "we don't have a purpose so let's cause problems" thinking. WTF!!

  • by Habgdnv on 1/10/25, 6:23 PM

    And what about revoking the certificate of mozilla.org 30 times instead?

  • by Spivak on 1/10/25, 4:41 PM

    I think Roman Fischer in the thread has it right, 30 certs is a single drop of water the Atlantic. Like there's no wink wink necessary, at that scale it would be flatly irrational to do anything at all to handle being one of these revocations. We're taking about a roughly 0.00001% chance that it's you. Forget some dumb cert revocation logic I would play Russian Roulette with those odds.

    But on the flip side those 30 unlucky souls are gonna be pissed. There's so many other less disruptive ways you could do this.

  • by tiffanyh on 1/10/25, 5:12 PM

    Why don’t they revoke the certificate for a special-use domain, like example.com.

    As opposed to 30-random entities.

    https://en.m.wikipedia.org/wiki/Special-use_domain_name

  • by DuckConference on 1/10/25, 5:10 PM

    I think the garbage CAs that want to delay certificate revocation way beyond requirements are numerous enough that this proposal won't go ahead. Much easier for them to just do nothing and hope they won't be the next Entrust.

  • by workfromspace on 1/11/25, 11:09 AM

  • by seventytwo on 1/10/25, 5:34 PM

    Why though? What’s the problem this solves?

  • by 1317 on 1/10/25, 4:24 PM

    that's just rude

  • by otabdeveloper4 on 1/10/25, 5:38 PM

    Good lord, the PKI infrastructure is a completely batshit clusterfuck.