Hacker News new | past | comments | ask | show | jobs | submit login

Itʼs so strange that they didnʼt manage to set up a proper certificate for an HTTPS proxy project website: https://www.ssllabs.com/ssltest/analyze.html?d=www.tofuproxy...

Edit: I guess theyʼre philosophically opposed to PKI, and are promoting instead certificate pinning, Web-of-Trust: http://www.stargrave.org/Harmful.html

This makes me wonder if itʼs possible to get `Letʼs Encrypt` to cross-sign an HTTPS certificate issued by another CA?





It's naive to think you can scale the web we have today on web of trust. If you didn't know, Google Chrome ignores to a large extent the whole certificate revocation infrastructure because it's slow and it has privacy issues[0]. How would things work if you would check every single web request you make against the web of trust? Your peers would know every site you visit, or worse, a notary for your trust would know every site you visit. PKI works because the check is local and based on time and cryptographic signatures.

[0] https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...


OCSP stapling solves the privacy issues IIRC.


IIRC signing by multiple CAs isn't possible, so you would have to extend TLS or X.509 or both.


It is currently possible to present multiple certificates when the connection is initiated using TLS. These certs are usually a chain - from CA to intermediate CA and then the final cert, but it should be possible to present certificates from different chains. The question is how the clients would be able to handle this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: