Re: Alternatives: Re: Root Key - Browser infrastructure from Timothy Holborn on 2017-02-05 (public-rww@w3.org from February 2017)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sun, 05 Feb 2017 15:38:13 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
Message-ID: <CAM1Sok2Dfhwucrfpzhdiw9OWovhQzLKvKpHUA-UKWimvv++B9A@mail.gmail.com>
Different set of issues.

Internet is distributed to the world. As are browser and the products made
by Google, apple, Microsoft, akamai, etc. Etc.  Why they can't support the
delivery of localised
https://en.m.wikipedia.org/wiki/Root_certificate

Or: Australian citizen --> option for Australian Root-keys are chain,

I believe in tern brings about important consideration that may influence
other aspects to the payments works and other related W3C undertaking.  We
have lots of options obviously, but given we are so dependent upon the
desires of browser vendors --> seems rational to see what the deal is about
this important aspect.

Unless of course, the design of what is being built would work in a machine
where all certificates not provide by a local organisations (both OS and
Browser stores?) could be removed from the Machine and the payments and
future credentials and whatever else relating to identity constituents
would still work.

Figured it was an important contribution / considerations.  Nb: cannot find
enough links on the current costs...

Tim.h.

On Mon., 6 Feb. 2017, 2:20 am Anders Rundgren, <
anders.rundgren.net@gmail.com> wrote:

> On 2017-02-04 13:50, Timothy Holborn wrote:
>
> > If someone has reference to the current cost structures charged by
>  > browser and OS providers for bundling RootCert stuff, links welcomed.
>
> IMO the Australian government should rather consider issuing client
> certificates (or FIDO tokens & IdPs), because (properly used), they provide
> end-2-end security and thus protect users from bad guys operating at the
> network level using fake "taxes.gov.au" certificates.
> Note: that doesn't require any new roots in browsers.
>
> Even Facebook supports end-2-end security tokens nowadays:
>
>
> https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
>
>
> My belief is that the number of CAs for the public "TLS PKI" actually will
> *shrink* because the "Cloud" takes 90% of the market.
> Letsencrypt/ACME will also contribute making this market less unattractive.
>
>
> When it comes to "sovereignty" the fact is that only the US tech industry
> managed creating client computing software platforms that have survived on
> the market.
> We other (Aussies, Europeans, Asians, etc) FAILED, EPICALLY.
>
> Cheers,
> Anders
>
> PS I'm sure you will continue your crusade against the "Browser Tyranny".
> I'm actually doing that as well but through "Apps" which is how 99%
> (guesstimate) of the world are dealing with an impossible situation. DS
> https://play.google.com/store/apps/details?id=org.webpki.mobile.android
>
> >
> > Tim.h.
> >
> >
> > On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
> wrote:
> >
> >     On 2017-02-04 13:26, Timothy Holborn wrote:
> >>     Different level.
> >>
> >>     http://www.certificates-australia.com.au. Is an example of
> existing solutions.
> >>
> >>     An organisation such as Australia Post (for example purposes only,
> without endorsement or suggestion that they're interested in anyway) should
> be able to more easily provide sovereign solutions, without the need for
> international root-keys as the sole solutions distributed by browsers.
> >
> >     No such solution have been proposed and browser distribution implies
> endorsement.
> >
> >>
> >>     Of course, technical people can easily generate and install their
> own should they choose to, as is outside of the scope of my point.
> >
> >     That's not what I wrote, installing (not generating) a root
> certificate is not rocket science but I'm rather suggesting dropping the
> whole idea.
> >
> >
> >>
> >>     Tim.h.
> >>
> >>     On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
> wrote:
> >>
> >>         First it is important to understand that browsers only provide
> roots for TLS (server) certificates.
> >>         Secondly, hosting providers like Alibaba, Godaddy, Amazon,
> Microsoft, Google, etc. can issue suitable domain certificates with ZERO
> cost.
> >>
> >>         If somebody wants to raise a CA for certifying a few thousand
> organization-servers they can do that, including the inclusion in browsers.
> >>         The cost for these certificates are likely to be $1000 or more.
> >>
> >>         To me this looks like a pretty bad business case.
> >>
> >>         If there rather is a lingering trust issue here (which some
> folks are prepared paying dearly for...), I'm not aware of any other
> alternative but manually configuring roots in browsers.
> >>
> >>         Certificates (or similar) for "people"?  Well, that's an
> entirely different issue (and thread).
> >>
> >>         Anders
> >>
> >>         On 2017-02-04 03:58, Timothy Holborn wrote:
> >>         > Cross-posted
> >>         >
> >>         > I note that the Root Certificates bundled with Browsers, do
> not universally have sovereign providers (ie: providers operating their HQ
> from a local national provider).  Whilst i can understand the rapid
> development of the web and how this may not have been considered
> previously, as the use of the web continues to develop - isn't it becoming
> more important? Particularly if solutions become bound to browsers...
> >>         >
> >>         > I've done a quick search and found an example for mozilla[1];
> but moreover,
> >>         >
> >>         > Do we know what the barriers (ie: economic costs for bundling
> with browsers) are for updating this infrastructure via trusted local
> provider(s)?
> >>         >
> >>         > I recently heard the cost for bundling a new Root-CA provider
> with all the browsers was a relatively significant barrier.
> >>         >
> >>         > Whilst these sorts of things (ie: sovereignty considerations
> / rule of law / etc.) have been at the heart of these works, i am finding
> it difficult not to note the finger[2] depicted nationally in recent
> affairs and in the spirit of long-standing precedents[3] value the health,
> safety and welfare that may be born via our efforts.  Of course, as an
> Australian - the affairs of the US administration are quite independent to
> me; other than the fond relationships i have with those who call America
> home and indeed also - that my crypto / data frameworks are most often
> Choice Of Law USA which (as an American legal alien) increasingly concerns
> me.
> >>         >
> >>         > Whilst i am not advocating for a browser-centric solution to
> be necessary; browsers are difficult things to manage, complex, and the
> future of them is kinda unknown; various storage frameworks provide
> interesting opportunities in-line with W3C standards; and as portions of
> these sorts of AUTH considerations have been within the domain of
> long-standing issues, including that of the function for WebID-TLS and the
> UX frameworks thereby provided; it seemed, this course of consideration
> (ie: how hard is it to make a browser-company policy to lower the cost for
> PKI for decentralisation via lowering the costs) may indeed yield some
> relatively simple ways to both encourage broader involvement, participation
> and consideration via a relatively simple group of policy considerations.
> >>         >
> >>         > I imagine years ago, as a browser company; the income
> generated this way was part of how to make the production of a browser a
> successful endeavors with paid employees (caring for their families, etc.);
> yet, aren't we a little past that now?  We're working on various ID related
> constituents, etc.
> >>         >
> >>         > Even if a solution was Google AU or MS AU or similar.  Still
> seems better to me.
> >>         > /
> >>         > /
> >>         > /"This is because many uses of digital certificates, such as
> for legally binding digital signatures, are linked to local law,
> regulations, and accreditation schemes for certificate authorities."[4]/
> >>         >
> >>         > Timothy Holborn
> >>         >
> >>         >
> >>         > [1]
> https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
> >>         > [2]
> http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
> >>         > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
> >>         > [4] https://en.wikipedia.org/wiki/Certificate_authority
> >>         >
> >>         >
> >>
> >
>
>
Received on Sunday, 5 February 2017 15:39:00 UTC