On Thu, Aug 1, 2013 at 9:04 AM, Antoine Musso hashar+wmf@free.fr wrote:
Le 01/08/13 06:52, Jeremy Baron a écrit :
We (society, standards making bodies, etc.) need to do more to reform the current SSL mafia system. (i.e. it should be easier for a vendor to remove a CA from a root store and we shouldn't have a situation where many dozens of orgs all have the ability to sign certs valid for any domain.)
I'm not sure how much we (Wikimedia) can do about that though.
Potentially similar minded foundations could form a new foundation that would be their SSL authority :-] I am not sure whether it would be cost effective though.
That would take years of lead time (once the CA is all ready) to get into vendor root stores. And then you have to wait for the products to actually ship.
I guess we could also get cross-signed for the interim. Anyway, would need some long-term vision/investment. That wouldn't help anything until at least the end of next year. But then we still end up with the same problem: dozens of other orgs (in addition to the new hypothetical non-profit) can fraudulently sign a cert for wikipedia and be trusted nearly everywhere.
-Jeremy