Re: Alternatives: Re: Root Key - Browser infrastructure

Perhaps it is a bad idea. I didn't see anyone else raise it. Perhaps that
is why.

On Mon., 6 Feb. 2017, 3:47 am Anders Rundgren, <
anders.rundgren.net@gmail.com> wrote:

> On 2017-02-05 16:38, Timothy Holborn wrote:
> > Different set of issues.
>
> There are (almost) always different paths to similar goals.
>
> You want to pursue your original quest, that's OK.  I respect that but the
> market (in general) doesn't care HOW you achieve a certain goal, unless it
> doesn't cost an arm and a leg.
>
> The proposed alternatives address the security/trust issues but in another
> (and in mot cases more powerful) way.
> I understand that your goals go beyond such considerations.
>
> > Internet is distributed to the world. As are browser and the products
> made by Google, apple, Microsoft, akamai, etc. Etc.  Why they can't support
> the delivery of localised
> > https://en.m.wikipedia.org/wiki/Root_certificate
> >
> > Or: Australian citizen --> option for Australian Root-keys are chain,
> >
> > I believe in tern brings about important consideration that may
> influence other aspects to the payments works and other related W3C
> undertaking.  We have lots of options obviously, but given we are so
> dependent upon the desires of browser vendors --> seems rational to see
> what the deal is about this important aspect.
> >
> > Unless of course, the design of what is being built would work in a
> machine where all certificates not provide by a local organisations (both
> OS and Browser stores?) could be removed from the Machine and the payments
> and future credentials and whatever else relating to identity constituents
> would still work.
> >
> > Figured it was an important contribution / considerations.
>
> Anders
>
>
> Nb: cannot find enough links on the current costs...
> >
> > Tim.h.
> >
> > On Mon., 6 Feb. 2017, 2:20 am Anders Rundgren, <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
> wrote:
> >
> >     On 2017-02-04 13:50, Timothy Holborn wrote:
> >
> >     > If someone has reference to the current cost structures charged by
> >      > browser and OS providers for bundling RootCert stuff, links
> welcomed.
> >
> >     IMO the Australian government should rather consider issuing client
> certificates (or FIDO tokens & IdPs), because (properly used), they provide
> end-2-end security and thus protect users from bad guys operating at the
> network level using fake "taxes.gov.au <http://taxes.gov.au>"
> certificates.
> >     Note: that doesn't require any new roots in browsers.
> >
> >     Even Facebook supports end-2-end security tokens nowadays:
> >
> >
> https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
> >
> >
> >     My belief is that the number of CAs for the public "TLS PKI"
> actually will *shrink* because the "Cloud" takes 90% of the market.
> >     Letsencrypt/ACME will also contribute making this market less
> unattractive.
> >
> >
> >     When it comes to "sovereignty" the fact is that only the US tech
> industry managed creating client computing software platforms that have
> survived on the market.
> >     We other (Aussies, Europeans, Asians, etc) FAILED, EPICALLY.
> >
> >     Cheers,
> >     Anders
> >
> >     PS I'm sure you will continue your crusade against the "Browser
> Tyranny". I'm actually doing that as well but through "Apps" which is how
> 99% (guesstimate) of the world are dealing with an impossible situation. DS
> >
> https://play.google.com/store/apps/details?id=org.webpki.mobile.android
> >
> >     >
> >     > Tim.h.
> >     >
> >     >
> >     > On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>
> <mailto:anders.rundgren.net@gmail.com <mailto:
> anders.rundgren.net@gmail.com>>> wrote:
> >     >
> >     >     On 2017-02-04 13:26, Timothy Holborn wrote:
> >     >>     Different level.
> >     >>
> >     >>     http://www.certificates-australia.com.au. Is an example of
> existing solutions.
> >     >>
> >     >>     An organisation such as Australia Post (for example purposes
> only, without endorsement or suggestion that they're interested in anyway)
> should be able to more easily provide sovereign solutions, without the need
> for international root-keys as the sole solutions distributed by browsers.
> >     >
> >     >     No such solution have been proposed and browser distribution
> implies endorsement.
> >     >
> >     >>
> >     >>     Of course, technical people can easily generate and install
> their own should they choose to, as is outside of the scope of my point.
> >     >
> >     >     That's not what I wrote, installing (not generating) a root
> certificate is not rocket science but I'm rather suggesting dropping the
> whole idea.
> >     >
> >     >
> >     >>
> >     >>     Tim.h.
> >     >>
> >     >>     On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>
> <mailto:anders.rundgren.net@gmail.com <mailto:
> anders.rundgren.net@gmail.com>>> wrote:
> >     >>
> >     >>         First it is important to understand that browsers only
> provide roots for TLS (server) certificates.
> >     >>         Secondly, hosting providers like Alibaba, Godaddy,
> Amazon, Microsoft, Google, etc. can issue suitable domain certificates with
> ZERO cost.
> >     >>
> >     >>         If somebody wants to raise a CA for certifying a few
> thousand organization-servers they can do that, including the inclusion in
> browsers.
> >     >>         The cost for these certificates are likely to be $1000 or
> more.
> >     >>
> >     >>         To me this looks like a pretty bad business case.
> >     >>
> >     >>         If there rather is a lingering trust issue here (which
> some folks are prepared paying dearly for...), I'm not aware of any other
> alternative but manually configuring roots in browsers.
> >     >>
> >     >>         Certificates (or similar) for "people"?  Well, that's an
> entirely different issue (and thread).
> >     >>
> >     >>         Anders
> >     >>
> >     >>         On 2017-02-04 03:58, Timothy Holborn wrote:
> >     >>         > Cross-posted
> >     >>         >
> >     >>         > I note that the Root Certificates bundled with
> Browsers, do not universally have sovereign providers (ie: providers
> operating their HQ from a local national provider).  Whilst i can
> understand the rapid development of the web and how this may not have been
> considered previously, as the use of the web continues to develop - isn't
> it becoming more important? Particularly if solutions become bound to
> browsers...
> >     >>         >
> >     >>         > I've done a quick search and found an example for
> mozilla[1]; but moreover,
> >     >>         >
> >     >>         > Do we know what the barriers (ie: economic costs for
> bundling with browsers) are for updating this infrastructure via trusted
> local provider(s)?
> >     >>         >
> >     >>         > I recently heard the cost for bundling a new Root-CA
> provider with all the browsers was a relatively significant barrier.
> >     >>         >
> >     >>         > Whilst these sorts of things (ie: sovereignty
> considerations / rule of law / etc.) have been at the heart of these works,
> i am finding it difficult not to note the finger[2] depicted nationally in
> recent affairs and in the spirit of long-standing precedents[3] value the
> health, safety and welfare that may be born via our efforts.  Of course, as
> an Australian - the affairs of the US administration are quite independent
> to me; other than the fond relationships i have with those who call America
> home and indeed also - that my crypto / data frameworks are most often
> Choice Of Law USA which (as an American legal alien) increasingly concerns
> me.
> >     >>         >
> >     >>         > Whilst i am not advocating for a browser-centric
> solution to be necessary; browsers are difficult things to manage, complex,
> and the future of them is kinda unknown; various storage frameworks provide
> interesting opportunities in-line with W3C standards; and as portions of
> these sorts of AUTH considerations have been within the domain of
> long-standing issues, including that of the function for WebID-TLS and the
> UX frameworks thereby provided; it seemed, this course of consideration
> (ie: how hard is it to make a browser-company policy to lower the cost for
> PKI for decentralisation via lowering the costs) may indeed yield some
> relatively simple ways to both encourage broader involvement, participation
> and consideration via a relatively simple group of policy considerations.
> >     >>         >
> >     >>         > I imagine years ago, as a browser company; the income
> generated this way was part of how to make the production of a browser a
> successful endeavors with paid employees (caring for their families, etc.);
> yet, aren't we a little past that now?  We're working on various ID related
> constituents, etc.
> >     >>         >
> >     >>         > Even if a solution was Google AU or MS AU or similar.
> Still seems better to me.
> >     >>         > /
> >     >>         > /
> >     >>         > /"This is because many uses of digital certificates,
> such as for legally binding digital signatures, are linked to local law,
> regulations, and accreditation schemes for certificate authorities."[4]/
> >     >>         >
> >     >>         > Timothy Holborn
> >     >>         >
> >     >>         >
> >     >>         > [1]
> https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
> >     >>         > [2]
> http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
> >     >>         > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
> >     >>         > [4] https://en.wikipedia.org/wiki/Certificate_authority
> >     >>         >
> >     >>         >
> >     >>
> >     >
> >
>
>

Received on Sunday, 5 February 2017 16:52:56 UTC