Longer-term solution to Mojang Certificate changes.
#3
Multiple reasons:

Revocation. At the moment with <10 certs, manually managing revocation manually is feasible. For an entire Firefox store, we would need to implement the entire revocation list system, to prevent a compromised CA from rendering us vulnerable.

Legacy roots. A browser certificate store contains a large number of roots which are not used any more for new certs, but are present for various reasons. We would need to filter these out before adding them to the server.

Attack surface. Every root we add is another CA that could be compromised in some way, increasing the risk that we are compromised by a false cert.

Maintenance Maintaining such a store would be even more work than the current setup, because we would have to do it every time a root is added to the store we are coping, which happens far more frequently than mojang changing their cert.
Reply
Thanks given by:


Messages In This Thread
RE: Longer-term solution to Mojang Certificate changes. - by worktycho - 05-29-2015, 06:23 AM



Users browsing this thread: 3 Guest(s)