- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Sun, 05 Feb 2017 16:52:07 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
- Message-ID: <CAM1Sok22VR8y1uD0pMnwZt1s38Guh6Mbv5348xT-d+JUyH-i7A@mail.gmail.com>
Perhaps it is a bad idea. I didn't see anyone else raise it. Perhaps that is why. On Mon., 6 Feb. 2017, 3:47 am Anders Rundgren, < anders.rundgren.net@gmail.com> wrote: > On 2017-02-05 16:38, Timothy Holborn wrote: > > Different set of issues. > > There are (almost) always different paths to similar goals. > > You want to pursue your original quest, that's OK. I respect that but the > market (in general) doesn't care HOW you achieve a certain goal, unless it > doesn't cost an arm and a leg. > > The proposed alternatives address the security/trust issues but in another > (and in mot cases more powerful) way. > I understand that your goals go beyond such considerations. > > > Internet is distributed to the world. As are browser and the products > made by Google, apple, Microsoft, akamai, etc. Etc. Why they can't support > the delivery of localised > > https://en.m.wikipedia.org/wiki/Root_certificate > > > > Or: Australian citizen --> option for Australian Root-keys are chain, > > > > I believe in tern brings about important consideration that may > influence other aspects to the payments works and other related W3C > undertaking. We have lots of options obviously, but given we are so > dependent upon the desires of browser vendors --> seems rational to see > what the deal is about this important aspect. > > > > Unless of course, the design of what is being built would work in a > machine where all certificates not provide by a local organisations (both > OS and Browser stores?) could be removed from the Machine and the payments > and future credentials and whatever else relating to identity constituents > would still work. > > > > Figured it was an important contribution / considerations. > > Anders > > > Nb: cannot find enough links on the current costs... > > > > Tim.h. > > > > On Mon., 6 Feb. 2017, 2:20 am Anders Rundgren, < > anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> > wrote: > > > > On 2017-02-04 13:50, Timothy Holborn wrote: > > > > > If someone has reference to the current cost structures charged by > > > browser and OS providers for bundling RootCert stuff, links > welcomed. > > > > IMO the Australian government should rather consider issuing client > certificates (or FIDO tokens & IdPs), because (properly used), they provide > end-2-end security and thus protect users from bad guys operating at the > network level using fake "taxes.gov.au <http://taxes.gov.au>" > certificates. > > Note: that doesn't require any new roots in browsers. > > > > Even Facebook supports end-2-end security tokens nowadays: > > > > > https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766 > > > > > > My belief is that the number of CAs for the public "TLS PKI" > actually will *shrink* because the "Cloud" takes 90% of the market. > > Letsencrypt/ACME will also contribute making this market less > unattractive. > > > > > > When it comes to "sovereignty" the fact is that only the US tech > industry managed creating client computing software platforms that have > survived on the market. > > We other (Aussies, Europeans, Asians, etc) FAILED, EPICALLY. > > > > Cheers, > > Anders > > > > PS I'm sure you will continue your crusade against the "Browser > Tyranny". I'm actually doing that as well but through "Apps" which is how > 99% (guesstimate) of the world are dealing with an impossible situation. DS > > > https://play.google.com/store/apps/details?id=org.webpki.mobile.android > > > > > > > > Tim.h. > > > > > > > > > On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, < > anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> > <mailto:anders.rundgren.net@gmail.com <mailto: > anders.rundgren.net@gmail.com>>> wrote: > > > > > > On 2017-02-04 13:26, Timothy Holborn wrote: > > >> Different level. > > >> > > >> http://www.certificates-australia.com.au. Is an example of > existing solutions. > > >> > > >> An organisation such as Australia Post (for example purposes > only, without endorsement or suggestion that they're interested in anyway) > should be able to more easily provide sovereign solutions, without the need > for international root-keys as the sole solutions distributed by browsers. > > > > > > No such solution have been proposed and browser distribution > implies endorsement. > > > > > >> > > >> Of course, technical people can easily generate and install > their own should they choose to, as is outside of the scope of my point. > > > > > > That's not what I wrote, installing (not generating) a root > certificate is not rocket science but I'm rather suggesting dropping the > whole idea. > > > > > > > > >> > > >> Tim.h. > > >> > > >> On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, < > anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> > <mailto:anders.rundgren.net@gmail.com <mailto: > anders.rundgren.net@gmail.com>>> wrote: > > >> > > >> First it is important to understand that browsers only > provide roots for TLS (server) certificates. > > >> Secondly, hosting providers like Alibaba, Godaddy, > Amazon, Microsoft, Google, etc. can issue suitable domain certificates with > ZERO cost. > > >> > > >> If somebody wants to raise a CA for certifying a few > thousand organization-servers they can do that, including the inclusion in > browsers. > > >> The cost for these certificates are likely to be $1000 or > more. > > >> > > >> To me this looks like a pretty bad business case. > > >> > > >> If there rather is a lingering trust issue here (which > some folks are prepared paying dearly for...), I'm not aware of any other > alternative but manually configuring roots in browsers. > > >> > > >> Certificates (or similar) for "people"? Well, that's an > entirely different issue (and thread). > > >> > > >> Anders > > >> > > >> On 2017-02-04 03:58, Timothy Holborn wrote: > > >> > Cross-posted > > >> > > > >> > I note that the Root Certificates bundled with > Browsers, do not universally have sovereign providers (ie: providers > operating their HQ from a local national provider). Whilst i can > understand the rapid development of the web and how this may not have been > considered previously, as the use of the web continues to develop - isn't > it becoming more important? Particularly if solutions become bound to > browsers... > > >> > > > >> > I've done a quick search and found an example for > mozilla[1]; but moreover, > > >> > > > >> > Do we know what the barriers (ie: economic costs for > bundling with browsers) are for updating this infrastructure via trusted > local provider(s)? > > >> > > > >> > I recently heard the cost for bundling a new Root-CA > provider with all the browsers was a relatively significant barrier. > > >> > > > >> > Whilst these sorts of things (ie: sovereignty > considerations / rule of law / etc.) have been at the heart of these works, > i am finding it difficult not to note the finger[2] depicted nationally in > recent affairs and in the spirit of long-standing precedents[3] value the > health, safety and welfare that may be born via our efforts. Of course, as > an Australian - the affairs of the US administration are quite independent > to me; other than the fond relationships i have with those who call America > home and indeed also - that my crypto / data frameworks are most often > Choice Of Law USA which (as an American legal alien) increasingly concerns > me. > > >> > > > >> > Whilst i am not advocating for a browser-centric > solution to be necessary; browsers are difficult things to manage, complex, > and the future of them is kinda unknown; various storage frameworks provide > interesting opportunities in-line with W3C standards; and as portions of > these sorts of AUTH considerations have been within the domain of > long-standing issues, including that of the function for WebID-TLS and the > UX frameworks thereby provided; it seemed, this course of consideration > (ie: how hard is it to make a browser-company policy to lower the cost for > PKI for decentralisation via lowering the costs) may indeed yield some > relatively simple ways to both encourage broader involvement, participation > and consideration via a relatively simple group of policy considerations. > > >> > > > >> > I imagine years ago, as a browser company; the income > generated this way was part of how to make the production of a browser a > successful endeavors with paid employees (caring for their families, etc.); > yet, aren't we a little past that now? We're working on various ID related > constituents, etc. > > >> > > > >> > Even if a solution was Google AU or MS AU or similar. > Still seems better to me. > > >> > / > > >> > / > > >> > /"This is because many uses of digital certificates, > such as for legally binding digital signatures, are linked to local law, > regulations, and accreditation schemes for certificate authorities."[4]/ > > >> > > > >> > Timothy Holborn > > >> > > > >> > > > >> > [1] > https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport > > >> > [2] > http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html > > >> > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _ > > >> > [4] https://en.wikipedia.org/wiki/Certificate_authority > > >> > > > >> > > > >> > > > > > > >
Received on Sunday, 5 February 2017 16:52:55 UTC