- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Sat, 04 Feb 2017 12:50:55 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
- Message-ID: <CAM1Sok091ypgAuR=8OkpkD3_GL1uZUMmYVGoB_X7r6=baMA1bw@mail.gmail.com>
If someone has reference to the current cost structures charged by browser and OS providers for bundling RootCert stuff, links welcomed. Tim.h. On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, < anders.rundgren.net@gmail.com> wrote: > On 2017-02-04 13:26, Timothy Holborn wrote: > > Different level. > > http://www.certificates-australia.com.au. Is an example of existing > solutions. > > An organisation such as Australia Post (for example purposes only, without > endorsement or suggestion that they're interested in anyway) should be able > to more easily provide sovereign solutions, without the need for > international root-keys as the sole solutions distributed by browsers. > > > No such solution have been proposed and browser distribution implies > endorsement. > > > Of course, technical people can easily generate and install their own > should they choose to, as is outside of the scope of my point. > > > That's not what I wrote, installing (not generating) a root certificate is > not rocket science but I'm rather suggesting dropping the whole idea. > > > > Tim.h. > > On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, < > anders.rundgren.net@gmail.com> wrote: > > First it is important to understand that browsers only provide roots for > TLS (server) certificates. > Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft, > Google, etc. can issue suitable domain certificates with ZERO cost. > > If somebody wants to raise a CA for certifying a few thousand > organization-servers they can do that, including the inclusion in browsers. > The cost for these certificates are likely to be $1000 or more. > > To me this looks like a pretty bad business case. > > If there rather is a lingering trust issue here (which some folks are > prepared paying dearly for...), I'm not aware of any other alternative but > manually configuring roots in browsers. > > Certificates (or similar) for "people"? Well, that's an entirely > different issue (and thread). > > Anders > > On 2017-02-04 03:58, Timothy Holborn wrote: > > Cross-posted > > > > I note that the Root Certificates bundled with Browsers, do not > universally have sovereign providers (ie: providers operating their HQ from > a local national provider). Whilst i can understand the rapid development > of the web and how this may not have been considered previously, as the use > of the web continues to develop - isn't it becoming more important? > Particularly if solutions become bound to browsers... > > > > I've done a quick search and found an example for mozilla[1]; but > moreover, > > > > Do we know what the barriers (ie: economic costs for bundling with > browsers) are for updating this infrastructure via trusted local > provider(s)? > > > > I recently heard the cost for bundling a new Root-CA provider with all > the browsers was a relatively significant barrier. > > > > Whilst these sorts of things (ie: sovereignty considerations / rule of > law / etc.) have been at the heart of these works, i am finding it > difficult not to note the finger[2] depicted nationally in recent affairs > and in the spirit of long-standing precedents[3] value the health, safety > and welfare that may be born via our efforts. Of course, as an Australian > - the affairs of the US administration are quite independent to me; other > than the fond relationships i have with those who call America home and > indeed also - that my crypto / data frameworks are most often Choice Of Law > USA which (as an American legal alien) increasingly concerns me. > > > > Whilst i am not advocating for a browser-centric solution to be > necessary; browsers are difficult things to manage, complex, and the future > of them is kinda unknown; various storage frameworks provide interesting > opportunities in-line with W3C standards; and as portions of these sorts of > AUTH considerations have been within the domain of long-standing issues, > including that of the function for WebID-TLS and the UX frameworks thereby > provided; it seemed, this course of consideration (ie: how hard is it to > make a browser-company policy to lower the cost for PKI for > decentralisation via lowering the costs) may indeed yield some relatively > simple ways to both encourage broader involvement, participation and > consideration via a relatively simple group of policy considerations. > > > > I imagine years ago, as a browser company; the income generated this way > was part of how to make the production of a browser a successful endeavors > with paid employees (caring for their families, etc.); yet, aren't we a > little past that now? We're working on various ID related constituents, > etc. > > > > Even if a solution was Google AU or MS AU or similar. Still seems > better to me. > > / > > / > > /"This is because many uses of digital certificates, such as for legally > binding digital signatures, are linked to local law, regulations, and > accreditation schemes for certificate authorities."[4]/ > > > > Timothy Holborn > > > > > > [1] > https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport > > [2] > http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html > > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _ > > [4] https://en.wikipedia.org/wiki/Certificate_authority > > > > > > >
Received on Saturday, 4 February 2017 12:51:43 UTC