back to article Spanish banished: Google Chrome to snub Camerfirma for lax cert management

When Google Chrome 90 arrives in April, visitors to websites that depend on TLS server authentication certificates from AC Camerfirma SA, a digital certificate authority based in Madrid, Spain, will find that those sites no longer present the secure lock icon. Certificate authorities (CAs) are in the business of signing …

  1. LDS Silver badge
    Facepalm

    It involves one of Italian major banks, and a large provider of digitally signed services

    It looks a lot of the issues of the CA involve also Intesa SanPaolo, one of the biggest Italian banks. probably the biggest after it bought UBI Banca last year.

    It also involves Infocert, which is a company that provides many service based on digital signatures and secure authentication: PEC, the certified e-mail, SPID, the authentication method used to access government services, and the now mandatory digital invoices. It has many users.

    Removing the CA will start a lot of fireworks in Italy, I guess...

    1. Pascal Monett Silver badge

      Re: Removing the CA will start a lot of fireworks in Italy, I guess

      Good.

      Security is not a hobby, it's a job. You do it right, or you get fired.

      1. LDS Silver badge

        Re: Removing the CA will start a lot of fireworks in Italy, I guess

        Infocert site reports they bought 51% of Camerafirma in 2018 - a smart move it looks. If the CA is removed by major browsers, its value will become zero.

        And the whole company will have an hard time to explain what happened to customers...

  2. Anonymous Coward
    Anonymous Coward

    In terms of security

    It puzzles me why Mozilla makes it so difficult to disable (you cannot remove altogether) the built-in CA list. You have to click on them one by one and there are literally hundreds, although most users only end up using perhaps half a dozen.

    Wouldn't it make sense to ship a pre-loaded list but with everything disabled at first and have users take a moment to trust (temporarily / permanently) as they start using their browsers? I did that exercise two/three years ago (i.e., disabled every single one of them at first) and within a day I had re-enabled those that certify 90% of the sites I use. In the following weeks the remaining 10% caught up. In total it was I think six or seven CAs that were required to validate all the certificates of sites that I browse. I have no idea what the rest do but they seem to have a fairly limited audience.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021