> but the certificates themselves will not necessarily be "less secure" - which the layman typically interprets as "cryptographically weaker".
I think this is word-games. If all we cared about was cryptographic security we wouldn't have have certificate authorities in the first place, making certificates that are themselves secure isn't hard. The only reason we care about certificate authorities is because of the security of the surrounding process: which is exactly the stuff that Mozilla is complaining about.
You're minimizing the most important part of a certificate authority. It's like going into a discussion about a potential phishing vulnerability and saying, "there's not security risk because the browser requests are still going over SSL."
The point of a certificate authority isn't just to have cryptographically secure certificates, it's to have a secure issuer. So it feels really misleading to completely jump over the concerns Mozilla has laid out about weaker standards for issuer security and say that it's fine just because everything is still encrypted.
I think this is word-games. If all we cared about was cryptographic security we wouldn't have have certificate authorities in the first place, making certificates that are themselves secure isn't hard. The only reason we care about certificate authorities is because of the security of the surrounding process: which is exactly the stuff that Mozilla is complaining about.
You're minimizing the most important part of a certificate authority. It's like going into a discussion about a potential phishing vulnerability and saying, "there's not security risk because the browser requests are still going over SSL."
The point of a certificate authority isn't just to have cryptographically secure certificates, it's to have a secure issuer. So it feels really misleading to completely jump over the concerns Mozilla has laid out about weaker standards for issuer security and say that it's fine just because everything is still encrypted.