On Mon, Apr 13, 2015 at 9:43 PM, <imfasterthanneutr...@gmail.com> wrote:
> On Monday, April 13, 2015 at 8:57:41 PM UTC-4, northrupt...@gmail.com > wrote: > > > > * Less scary warnings about self-signed certificates (i.e. treat > HTTPS+selfsigned like we do with HTTP now, and treat HTTP like we do with > HTTPS+selfsigned now); the fact that self-signed HTTPS is treated as less > secure than HTTP is - to put this as politely and gently as possible - a > pile of bovine manure > > This feature (i.e. opportunistic encryption) was implemented in Firefox > 37, but unfortunately an implementation bug made HTTPS insecure too. But I > guess Mozilla will fix it and make this feature available in a future > release. > > > * Support for a decentralized (blockchain-based, ala Namecoin?) > certificate authority > > > > Basically, the current CA system is - again, to put this as gently and > politely as possible - fucking broken. Anything that forces the world to > rely on it exclusively is not a solution, but is instead just going to make > the problem worse. > > I don't think the current CA system is broken. The domain name > registration is also centralized, but almost every website has a hostname, > rather than using IP address, and few people complain about this. > I would also note that Mozilla is contributing heavily to Let's Encrypt, which is about as close to a decentralized CA as we can get with current technology. If people have ideas for decentralized CAs, I would be interested in listening, and possibly adding support in the long run. But unfortunately, the state of the art isn't quite there yet. --Richard > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
