Longer-term solution to Mojang Certificate changes.

[bearbin]

Would a better long-term solution be to just get all CA certificates that are say, distributed with FireFox, and copy them into the code. Then that file could be updated every so often.

This would avoid a repeat of the issue with authentication.

Is this a bad idea for some reason that I'm missing?

[xoft]

I think that the cert change was a one-off incident, if it happens again, it's most likely in the years timeframe, so it's not worth the trouble. Nor is it worth the bundle of cert data that we'd need to maintain ( http://mxr.mozilla.org/mozilla-central/s...rtdata.txt )

[worktycho]

Multiple reasons:

Revocation. At the moment with <10 certs, manually managing revocation manually is feasible. For an entire Firefox store, we would need to implement the entire revocation list system, to prevent a compromised CA from rendering us vulnerable.

Legacy roots. A browser certificate store contains a large number of roots which are not used any more for new certs, but are present for various reasons. We would need to filter these out before adding them to the server.

---

Attack surface. Every root we add is another CA that could be compromised in some way, increasing the risk that we are compromised by a false cert.

---

Maintenance Maintaining such a store would be even more work than the current setup, because we would have to do it every time a root is added to the store we are coping, which happens far more frequently than mojang changing their cert.

[worktycho]

Politics. Building a certificate store for the web involves a lot of compromises due to politics that we may not want to make. For example do we want trust the China Internet Network Information Center cert? Mojang almost certainly aren't going to use them.

---

I think that's enough resons why maintaining our own root store is not a good idea.