4

(inspired by How do you tell a website they have expired security certificates? )

Why don't major browsers trust the US Treasury PKI certificate authority by default? I know that the government isn't necessarily trustworthy, but surely they're at least as trustworthy as 'GoDaddy.com'. Are there technical or systemic deficiencies in the US government's granting of certs or is this based on something else?

Please stop being evil
  • 183
  • 8
  • I would assume that people outside the US are more inclined to trust GoDaddy than to trust the US Treasury, me included... But [Steffen](https://security.stackexchange.com/a/154016/138516) gave the accurate answer anyway :) – MiaoHatola Mar 16 '17 at 08:57
  • 1
    @MiaoHatola I'm not saying the US treasury is great, I'm just saying at least they're not [these guys](https://en.wikipedia.org/wiki/Kohlberg_Kravis_Roberts). But fair enough :) – Please stop being evil Mar 16 '17 at 18:26

1 Answers1

3

It is not that the browsers are unwilling to include this PKI. But they will only include a PKI which gets regular audits and fully conforms to the rules of the CAB browser forum. Acording to this bug inclusion process in the Mozilla trust store (i.e. Firefox) was started 8 years ago and is still an ongoing process. For all the details see the bug itself.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Oh my goodness. I knew the process was slow but... D: I think that bug showcases how long a bureaucracy running into another bureaucracy can really take. – Please stop being evil Mar 16 '17 at 05:45
  • Don't worry...it's not that relevant and soon things may drastically change. – Overmind Mar 16 '17 at 06:25
  • 1
    @Overmind #MakeCAsGreatAgain? – architekt Mar 16 '17 at 09:05
  • I think there will be another approach, but one thing is for sure: the green browser icon has been abused a lot and something will definitely change. – Overmind Mar 16 '17 at 09:10
  • 1
    @Overmind: I don't think that this is the appropriate place for vague speculations. If you have real details about a replacement which will definitely come in the next years then provide a link to it instead of just claiming that *soon things may drastically change* without providing any details. – Steffen Ullrich Mar 16 '17 at 09:58
  • This will probably be the next step: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities . Not perfect, but not as bad as this: https://citpsite.s3.amazonaws.com/publications/Roosa_Schultze_CA_Trust_Model.pdf – Overmind Mar 21 '17 at 09:03
  • @Overmind: the idea to use DANE is hanging around for years without much progress. The feature was even implement in Chrome [but later removed due to lack of use](https://www.imperialviolet.org/2011/06/16/dnssecchrome.html). Since DANE depends on DNSSec which is still lacking wide enough adoption I doubt that we will get it in the near future, i.e. I doubt that *"soon things may drastically change"*. – Steffen Ullrich Mar 21 '17 at 09:55
  • We'll see. What's clear is that you can get way too easy the green icon. – Overmind Mar 22 '17 at 11:36