Re: Root Key - Browser infrastructure

If someone has reference to the current cost structures charged by browser
and OS providers for bundling RootCert stuff, links welcomed.

Tim.h.

On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, <
anders.rundgren.net@gmail.com> wrote:

> On 2017-02-04 13:26, Timothy Holborn wrote:
>
> Different level.
>
> http://www.certificates-australia.com.au. Is an example of existing
> solutions.
>
> An organisation such as Australia Post (for example purposes only, without
> endorsement or suggestion that they're interested in anyway) should be able
> to more easily provide sovereign solutions, without the need for
> international root-keys as the sole solutions distributed by browsers.
>
>
> No such solution have been proposed and browser distribution implies
> endorsement.
>
>
> Of course, technical people can easily generate and install their own
> should they choose to, as is outside of the scope of my point.
>
>
> That's not what I wrote, installing (not generating) a root certificate is
> not rocket science but I'm rather suggesting dropping the whole idea.
>
>
>
> Tim.h.
>
> On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <
> anders.rundgren.net@gmail.com> wrote:
>
> First it is important to understand that browsers only provide roots for
> TLS (server) certificates.
> Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft,
> Google, etc. can issue suitable domain certificates with ZERO cost.
>
> If somebody wants to raise a CA for certifying a few thousand
> organization-servers they can do that, including the inclusion in browsers.
> The cost for these certificates are likely to be $1000 or more.
>
> To me this looks like a pretty bad business case.
>
> If there rather is a lingering trust issue here (which some folks are
> prepared paying dearly for...), I'm not aware of any other alternative but
> manually configuring roots in browsers.
>
> Certificates (or similar) for "people"?  Well, that's an entirely
> different issue (and thread).
>
> Anders
>
> On 2017-02-04 03:58, Timothy Holborn wrote:
> > Cross-posted
> >
> > I note that the Root Certificates bundled with Browsers, do not
> universally have sovereign providers (ie: providers operating their HQ from
> a local national provider).  Whilst i can understand the rapid development
> of the web and how this may not have been considered previously, as the use
> of the web continues to develop - isn't it becoming more important?
> Particularly if solutions become bound to browsers...
> >
> > I've done a quick search and found an example for mozilla[1]; but
> moreover,
> >
> > Do we know what the barriers (ie: economic costs for bundling with
> browsers) are for updating this infrastructure via trusted local
> provider(s)?
> >
> > I recently heard the cost for bundling a new Root-CA provider with all
> the browsers was a relatively significant barrier.
> >
> > Whilst these sorts of things (ie: sovereignty considerations / rule of
> law / etc.) have been at the heart of these works, i am finding it
> difficult not to note the finger[2] depicted nationally in recent affairs
> and in the spirit of long-standing precedents[3] value the health, safety
> and welfare that may be born via our efforts.  Of course, as an Australian
> - the affairs of the US administration are quite independent to me; other
> than the fond relationships i have with those who call America home and
> indeed also - that my crypto / data frameworks are most often Choice Of Law
> USA which (as an American legal alien) increasingly concerns me.
> >
> > Whilst i am not advocating for a browser-centric solution to be
> necessary; browsers are difficult things to manage, complex, and the future
> of them is kinda unknown; various storage frameworks provide interesting
> opportunities in-line with W3C standards; and as portions of these sorts of
> AUTH considerations have been within the domain of long-standing issues,
> including that of the function for WebID-TLS and the UX frameworks thereby
> provided; it seemed, this course of consideration (ie: how hard is it to
> make a browser-company policy to lower the cost for PKI for
> decentralisation via lowering the costs) may indeed yield some relatively
> simple ways to both encourage broader involvement, participation and
> consideration via a relatively simple group of policy considerations.
> >
> > I imagine years ago, as a browser company; the income generated this way
> was part of how to make the production of a browser a successful endeavors
> with paid employees (caring for their families, etc.); yet, aren't we a
> little past that now?  We're working on various ID related constituents,
> etc.
> >
> > Even if a solution was Google AU or MS AU or similar.  Still seems
> better to me.
> > /
> > /
> > /"This is because many uses of digital certificates, such as for legally
> binding digital signatures, are linked to local law, regulations, and
> accreditation schemes for certificate authorities."[4]/
> >
> > Timothy Holborn
> >
> >
> > [1]
> https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
> > [2]
> http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
> > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
> > [4] https://en.wikipedia.org/wiki/Certificate_authority
> >
> >
>
>
>

Received on Saturday, 4 February 2017 12:51:42 UTC