Why not obtain certificates from their sources instead of a third party.
Maybe intermediaries ("middlemen") are trustworthy, and using third party is not single point of failure. Maybe people love the convenience. Maybe it is just laziness. Who knows.
(I suspect the OS vendors may in some cases use the Mozilla bundle.)
Personally I find that many of the certificates in the Mozilla bundle or in browsers are ones I never use. I certainly do not need them all. Sometimes when experimenting with TLS I download root certificates from the companies that provide them. It's certainly possible to get them from their source instead of Mozilla.
At least with system certificates, the user can remove the ones she does not want. With certificates included in browsers, the user would have to edit the source code and re-compile. The so-called "modern" browsers are extremely cumbersome in that regard. Huge size and slow, resource-intensive compilation.
And for some of the popular "modern" browsers modification and re-compilation is not even possible because the source code is unavailable.
> Why not obtain certificates from their sources instead of a third party.
You can't do this sustainably. We're talking about hundreds of certificates that get cross-signed and rotated on varying bases.
Nothing about this boils down to laziness: CA and bundle management is very difficult. Mozilla does a good job given the complexity, and arguably do a better job (including perceived conflicts of interest) than anybody else who could be tasked with the responsibility.
What does "You" refer to in this comment. And what does "sustainably" mean. Sustainable by who. And for what purpose. Every computer user is different and each may have different needs.
“You” means an end user, and “sustainably” is in this context “mean ordinary Internet usage.”
If you want to maintain your own CA bundle, absolutely nothing is stopping you from doing so. But it would not be reasonable of us to expect ordinary users, including people who just want to connect to their banks securely, to do so. And even if we were to make such an unreasonable imposition, it’s not clear that it actually improves their security posture in any way.
Agreed. The point I was was raising originally is why other options besides sourcing certificates from third parties are not considered. Using a Mozilla bundle is one option. Relying on hardcoded certificates in a web browser or other application is another option. IMO, these are not the only options. The "user" should have a choice.
With respect to computers and the internet, there is substantial history of problems with third party intermediaries. Deliberately excluding, or even just failing to recognise, the option for a user to eliminate a third party intermediary is highly suspect given that history, IMHO.
Maybe intermediaries ("middlemen") are trustworthy, and using third party is not single point of failure. Maybe people love the convenience. Maybe it is just laziness. Who knows.
(I suspect the OS vendors may in some cases use the Mozilla bundle.)
Personally I find that many of the certificates in the Mozilla bundle or in browsers are ones I never use. I certainly do not need them all. Sometimes when experimenting with TLS I download root certificates from the companies that provide them. It's certainly possible to get them from their source instead of Mozilla.
At least with system certificates, the user can remove the ones she does not want. With certificates included in browsers, the user would have to edit the source code and re-compile. The so-called "modern" browsers are extremely cumbersome in that regard. Huge size and slow, resource-intensive compilation. And for some of the popular "modern" browsers modification and re-compilation is not even possible because the source code is unavailable.