> If there's a root CA that's handing out certs for malware extensions then sure, pull the plug, but if the root CA is handing out certs for ad blockers and Google pulls the plug then it'll be plain as day what they're doing.
Pulling a root CA is no more public than blocking an extension from the Chrome Web Store. In both cases it is clear that Google has taken the action, and whoever has gotten blocked can protest it publicly (just like people do now for Apple App Store rejections). The Chrome Web Store doesn't give Google any kind of "cover" or "shield."
Additionally, revoking an entire root CA that was letting malware through (intentionally or unintentionally) would be far more intrusive than pulling a single extension from the Web Store, because every extension that the CA had approved would be affected, even if they were not malware.
What annoys me about this entire thread is that the OP (which was voted to the top of the story's comments) presumes that you can sprinkle some crypto fairy dust and get just as much security against malware without having to give up any control. And it goes so far as to assume bad intentions on Google's part for not doing it. But it's not that easy; crypto isn't a magic wand that lets you have your cake and eat it too.
> (OP:) if security is all they cared about, a signed certificate is all that's necessary.
Pulling a root CA is no more public than blocking an extension from the Chrome Web Store. In both cases it is clear that Google has taken the action, and whoever has gotten blocked can protest it publicly (just like people do now for Apple App Store rejections). The Chrome Web Store doesn't give Google any kind of "cover" or "shield."
Additionally, revoking an entire root CA that was letting malware through (intentionally or unintentionally) would be far more intrusive than pulling a single extension from the Web Store, because every extension that the CA had approved would be affected, even if they were not malware.
What annoys me about this entire thread is that the OP (which was voted to the top of the story's comments) presumes that you can sprinkle some crypto fairy dust and get just as much security against malware without having to give up any control. And it goes so far as to assume bad intentions on Google's part for not doing it. But it's not that easy; crypto isn't a magic wand that lets you have your cake and eat it too.
> (OP:) if security is all they cared about, a signed certificate is all that's necessary.
Um no. It's not that simple.