- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 5 Feb 2017 16:20:38 +0100
- To: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
On 2017-02-04 13:50, Timothy Holborn wrote: > If someone has reference to the current cost structures charged by > browser and OS providers for bundling RootCert stuff, links welcomed. IMO the Australian government should rather consider issuing client certificates (or FIDO tokens & IdPs), because (properly used), they provide end-2-end security and thus protect users from bad guys operating at the network level using fake "taxes.gov.au" certificates. Note: that doesn't require any new roots in browsers. Even Facebook supports end-2-end security tokens nowadays: https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766 My belief is that the number of CAs for the public "TLS PKI" actually will *shrink* because the "Cloud" takes 90% of the market. Letsencrypt/ACME will also contribute making this market less unattractive. When it comes to "sovereignty" the fact is that only the US tech industry managed creating client computing software platforms that have survived on the market. We other (Aussies, Europeans, Asians, etc) FAILED, EPICALLY. Cheers, Anders PS I'm sure you will continue your crusade against the "Browser Tyranny". I'm actually doing that as well but through "Apps" which is how 99% (guesstimate) of the world are dealing with an impossible situation. DS https://play.google.com/store/apps/details?id=org.webpki.mobile.android > > Tim.h. > > > On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > On 2017-02-04 13:26, Timothy Holborn wrote: >> Different level. >> >> http://www.certificates-australia.com.au. Is an example of existing solutions. >> >> An organisation such as Australia Post (for example purposes only, without endorsement or suggestion that they're interested in anyway) should be able to more easily provide sovereign solutions, without the need for international root-keys as the sole solutions distributed by browsers. > > No such solution have been proposed and browser distribution implies endorsement. > >> >> Of course, technical people can easily generate and install their own should they choose to, as is outside of the scope of my point. > > That's not what I wrote, installing (not generating) a root certificate is not rocket science but I'm rather suggesting dropping the whole idea. > > >> >> Tim.h. >> >> On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: >> >> First it is important to understand that browsers only provide roots for TLS (server) certificates. >> Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft, Google, etc. can issue suitable domain certificates with ZERO cost. >> >> If somebody wants to raise a CA for certifying a few thousand organization-servers they can do that, including the inclusion in browsers. >> The cost for these certificates are likely to be $1000 or more. >> >> To me this looks like a pretty bad business case. >> >> If there rather is a lingering trust issue here (which some folks are prepared paying dearly for...), I'm not aware of any other alternative but manually configuring roots in browsers. >> >> Certificates (or similar) for "people"? Well, that's an entirely different issue (and thread). >> >> Anders >> >> On 2017-02-04 03:58, Timothy Holborn wrote: >> > Cross-posted >> > >> > I note that the Root Certificates bundled with Browsers, do not universally have sovereign providers (ie: providers operating their HQ from a local national provider). Whilst i can understand the rapid development of the web and how this may not have been considered previously, as the use of the web continues to develop - isn't it becoming more important? Particularly if solutions become bound to browsers... >> > >> > I've done a quick search and found an example for mozilla[1]; but moreover, >> > >> > Do we know what the barriers (ie: economic costs for bundling with browsers) are for updating this infrastructure via trusted local provider(s)? >> > >> > I recently heard the cost for bundling a new Root-CA provider with all the browsers was a relatively significant barrier. >> > >> > Whilst these sorts of things (ie: sovereignty considerations / rule of law / etc.) have been at the heart of these works, i am finding it difficult not to note the finger[2] depicted nationally in recent affairs and in the spirit of long-standing precedents[3] value the health, safety and welfare that may be born via our efforts. Of course, as an Australian - the affairs of the US administration are quite independent to me; other than the fond relationships i have with those who call America home and indeed also - that my crypto / data frameworks are most often Choice Of Law USA which (as an American legal alien) increasingly concerns me. >> > >> > Whilst i am not advocating for a browser-centric solution to be necessary; browsers are difficult things to manage, complex, and the future of them is kinda unknown; various storage frameworks provide interesting opportunities in-line with W3C standards; and as portions of these sorts of AUTH considerations have been within the domain of long-standing issues, including that of the function for WebID-TLS and the UX frameworks thereby provided; it seemed, this course of consideration (ie: how hard is it to make a browser-company policy to lower the cost for PKI for decentralisation via lowering the costs) may indeed yield some relatively simple ways to both encourage broader involvement, participation and consideration via a relatively simple group of policy considerations. >> > >> > I imagine years ago, as a browser company; the income generated this way was part of how to make the production of a browser a successful endeavors with paid employees (caring for their families, etc.); yet, aren't we a little past that now? We're working on various ID related constituents, etc. >> > >> > Even if a solution was Google AU or MS AU or similar. Still seems better to me. >> > / >> > / >> > /"This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities."[4]/ >> > >> > Timothy Holborn >> > >> > >> > [1] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport >> > [2] http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html >> > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _ >> > [4] https://en.wikipedia.org/wiki/Certificate_authority >> > >> > >> >
Received on Sunday, 5 February 2017 15:21:32 UTC