> Why not obtain certificates from their sources instead of a third party.
You can't do this sustainably. We're talking about hundreds of certificates that get cross-signed and rotated on varying bases.
Nothing about this boils down to laziness: CA and bundle management is very difficult. Mozilla does a good job given the complexity, and arguably do a better job (including perceived conflicts of interest) than anybody else who could be tasked with the responsibility.
What does "You" refer to in this comment. And what does "sustainably" mean. Sustainable by who. And for what purpose. Every computer user is different and each may have different needs.
“You” means an end user, and “sustainably” is in this context “mean ordinary Internet usage.”
If you want to maintain your own CA bundle, absolutely nothing is stopping you from doing so. But it would not be reasonable of us to expect ordinary users, including people who just want to connect to their banks securely, to do so. And even if we were to make such an unreasonable imposition, it’s not clear that it actually improves their security posture in any way.
Agreed. The point I was was raising originally is why other options besides sourcing certificates from third parties are not considered. Using a Mozilla bundle is one option. Relying on hardcoded certificates in a web browser or other application is another option. IMO, these are not the only options. The "user" should have a choice.
With respect to computers and the internet, there is substantial history of problems with third party intermediaries. Deliberately excluding, or even just failing to recognise, the option for a user to eliminate a third party intermediary is highly suspect given that history, IMHO.
You can't do this sustainably. We're talking about hundreds of certificates that get cross-signed and rotated on varying bases.
Nothing about this boils down to laziness: CA and bundle management is very difficult. Mozilla does a good job given the complexity, and arguably do a better job (including perceived conflicts of interest) than anybody else who could be tasked with the responsibility.