Root Key - Browser infrastructure

Cross-posted

I note that the Root Certificates bundled with Browsers, do not universally
have sovereign providers (ie: providers operating their HQ from a local
national provider).  Whilst i can understand the rapid development of the
web and how this may not have been considered previously, as the use of the
web continues to develop - isn't it becoming more important? Particularly
if solutions become bound to browsers...

I've done a quick search and found an example for mozilla[1]; but moreover,

Do we know what the barriers (ie: economic costs for bundling with
browsers) are for updating this infrastructure via trusted local
provider(s)?

I recently heard the cost for bundling a new Root-CA provider with all the
browsers was a relatively significant barrier.

Whilst these sorts of things (ie: sovereignty considerations / rule of law
/ etc.) have been at the heart of these works, i am finding it difficult
not to note the finger[2] depicted nationally in recent affairs and in the
spirit of long-standing precedents[3] value the health, safety and welfare
that may be born via our efforts.  Of course, as an Australian - the
affairs of the US administration are quite independent to me; other than
the fond relationships i have with those who call America home and indeed
also - that my crypto / data frameworks are most often Choice Of Law USA
which (as an American legal alien) increasingly concerns me.

Whilst i am not advocating for a browser-centric solution to be necessary;
browsers are difficult things to manage, complex, and the future of them is
kinda unknown; various storage frameworks provide interesting opportunities
in-line with W3C standards; and as portions of these sorts of AUTH
considerations have been within the domain of long-standing issues,
including that of the function for WebID-TLS and the UX frameworks thereby
provided; it seemed, this course of consideration (ie: how hard is it to
make a browser-company policy to lower the cost for PKI for
decentralisation via lowering the costs) may indeed yield some relatively
simple ways to both encourage broader involvement, participation and
consideration via a relatively simple group of policy considerations.

I imagine years ago, as a browser company; the income generated this way
was part of how to make the production of a browser a successful endeavors
with paid employees (caring for their families, etc.); yet, aren't we a
little past that now?  We're working on various ID related constituents,
etc.

Even if a solution was Google AU or MS AU or similar.  Still seems better
to me.

*"This is because many uses of digital certificates, such as for legally
binding digital signatures, are linked to local law, regulations, and
accreditation schemes for certificate authorities."[4]*

Timothy Holborn


[1] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

[2]
http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html

[3] *https://www.youtube.com/watch?v=aiFIu_z4dM8
<https://www.youtube.com/watch?v=aiFIu_z4dM8> *
[4] https://en.wikipedia.org/wiki/Certificate_authority

Received on Saturday, 4 February 2017 02:59:20 UTC