
Add Amazon root certificates - joshmoz
https://bugzilla.mozilla.org/show_bug.cgi?id=1172401
======
reipahb
This being Amazon AWS gives me hope that this will be a CA with an API that
allows automatic certificate issuance for domains you control. I find the
process of issuing and reissuing certificates for all sorts of services to be
an increasing amount of work as more and more services move to https.

(The letsencrypt.org CA is build around automated certificate issuance through
an API, but some competition wouldn't be a bad thing.)

~~~
agwa
Check out SSLMate, which has been automating certificate issuance since early
last year: [https://sslmate.com](https://sslmate.com)

We have both an API and a highly scriptable open source command line client.

~~~
techsupporter
Seems very clever, but I have to ask:

> DV certificates are $15.95/year per domain,

Not a bad price, very much one I'd be willing to pay in order to get
certificates via a CLI.

> or $149.95/year for unlimited sub-domains.

Ouch, 10x for a wild card? Why do issuers do this? It really puts a crimp on
the whole "hobbyist doing hobbyist things" since that's $150/year just to not
have cert errors on a single domain.

(FWIW, I'm deliberately excluding StartSSL for a variety of reasons.)

~~~
digi_owl
Could be it also discourages script kiddies from pulling antics.

~~~
madaxe_again
Not sure why you've been downvoted - this is pretty much the reason for
elevated pricing of wildcard certs. They are more open to abuse (have seen
them used for phishing sites), so the issuer carries a higher risk of having
to do additional management around the cert (i.e. revocations), so therefore
charge more.

------
zwily
An obvious move for Amazon. They'll be able to make SSL certificate management
pretty painless for people using ELB.

~~~
eli
I wonder if they have plans for CloudFront too. That'd be a killer feature to
be able to use HTTPS on cloudfront on a custom domain without it costing a
fortune.

~~~
psychometry
What's the benefit to serving your assets from a custom SSL-secured domain
over [https://whatever.cloudfront.net](https://whatever.cloudfront.net)? The
end-user doesn't really care what domain they're served from.

~~~
ceejayoz
You can sit CloudFront in front of the entire site (not just assets, similar
to CloudFlare) and tell it to proxy POST requests to the origin.

------
michaelmior
I wonder how long it will take before it becomes practical to rely on Amazon-
issued certs.

------
aaronpk
Does it bother anyone else that the links Amazon provided to their
certificates and CRLs are not https?

~~~
dlgeek
The CRL part is according to the standard

RFC 5280, Section 8 (Security Considerations): "CAs SHOULD NOT include URIs
that specify https, ldaps, or similar schemes in extensions."

([https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280),
page 103)

~~~
DanWaterworth
People having obscure knowledge never ceases to impress me.

(It's page 104 though ;P )

~~~
lucb1e
I knew that as well because I was equally surprised that the revocation lists
are over HTTP and looked this up, only I did this a few years ago. Not very
obscure in my opinion.

------
teoruiz
How long will it take for the CA to be distributed to a large enough browser
base?

I mean, it could be years. Is there any other, speedier process? (cross-
signing, for instance).

~~~
kbrosnan
8 to 12+ months for it to be in a release version of Firefox.
[https://wiki.mozilla.org/CA:How_to_apply#Timeline](https://wiki.mozilla.org/CA:How_to_apply#Timeline)
and [https://wiki.mozilla.org/CA](https://wiki.mozilla.org/CA) document the
process in great detail.

~~~
alexchamberlain
Does that go for new root certificates as well?

------
madez
A typo in the introduction:

    
    
        "We do not require customers that customers have a domain registration (...)"
    

There is a "customers" too much.

~~~
jshb
What's the problem? It seems totally fine to me, but I'm no English native.

~~~
dtparr
As he says, there's an extra 'customers'. It should have been either

"We do not require that customers have a domain registration (...)"

or

"We do not require customers to have a domain registration (...)"

------
rmoriz
please support S/MIME!

------
x5n1
The community needs to figure out a way to demonopolize this business and make
it ubiquitous without destroying its credibility.

~~~
justinsb
I think the EFF has (and is making great progress towards launching it):
[https://www.eff.org/deeplinks/2014/11/certificate-
authority-...](https://www.eff.org/deeplinks/2014/11/certificate-authority-
encrypt-entire-web)

------
elcct
Since Amazon is an American company, would you trust their certificates? I
mean are they going to give private keys to NSA or whoever is now spying in
the US?

~~~
ceejayoz
There isn't a single CA in existence that wouldn't be subject to nation-state
pressure and/or infiltration. If NSA/GCHQ/FSB/etc. want to MITM you, they can
probably MITM you.

~~~
nucleardog
I've always enjoyed James Mickens' perspective on this:

"In the real world, threat models are much simpler (see Figure 1). Basically,
you’re either dealing with Mossad or not-Mossad. If your adversary is not-
Mossad, then you’ll probably be fine if you pick a good password and don’t
respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your
adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO
ABOUT IT. The Mossad is not intimidated by the fact that you employ
[https://](https://). If the Mossad wants your data, they’re going to use a
drone to replace your cellphone with a piece of uranium that’s shaped like a
cellphone, and when you die of tumors filled with tumors, they’re going to
hold a press conference and say “It wasn’t us” as they wear t-shirts that say
“IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at
your estate sale so that they can directly look at the photos of your vacation
instead of reading your insipid emails about them. In summary,
[https://](https://) and two dollars will get you a bus ticket to nowhere.
Also, SANTA CLAUS ISN’T REAL. When it rains, it pours."

(From "This World Of Ours" \- [http://research.microsoft.com/en-
us/people/mickens/thisworld...](http://research.microsoft.com/en-
us/people/mickens/thisworldofours.pdf))

~~~
vacri
While entertaining, this is a bit like saying that there are only two kinds of
vendors: beach stalls that sell you icecream; and giant multinational
conglomerates that have huge department stores. In reality, there's plenty of
folks in-between.

------
higherpurpose
Why would I trust a company like Amazon with a root certificate when it
doesn't even use HTTPS across its website?

~~~
dangrossman
Neither do Verisign, Entrust, TrendMicro, IdenTrust, StartCom which are root
certificate authorities your browser trusts right now. All of their sites are
accessible over HTTP. It doesn't really say anything about whether you should
trust their CA businesses.

~~~
umanwizard
The GP wasn't pointing out that Amazon is "accessible over HTTP". He was
making the much stronger point that Amazon doesn't even _offer_ HTTPS on most
of its site.

