On Thu, Aug 1, 2013 at 9:04 AM, Antoine Musso <hashar+wmf(a)free.fr> wrote:
Le 01/08/13 06:52, Jeremy Baron a écrit :
We (society, standards making bodies, etc.) need
to do more to reform
the current SSL mafia system. (i.e. it should be easier for a vendor
to remove a CA from a root store and we shouldn't have a situation
where many dozens of orgs all have the ability to sign certs valid for
any domain.)
I'm not sure how much we (Wikimedia) can do about that though.
Potentially similar minded foundations could form a new foundation that
would be their SSL authority :-] I am not sure whether it would be cost
effective though.
That would take years of lead time (once the CA is all ready) to get
into vendor root stores. And then you have to wait for the products to
actually ship.
I guess we could also get cross-signed for the interim. Anyway, would
need some long-term vision/investment. That wouldn't help anything
until at least the end of next year. But then we still end up with the
same problem: dozens of other orgs (in addition to the new
hypothetical non-profit) can fraudulently sign a cert for wikipedia
and be trusted nearly everywhere.
-Jeremy