W3C home > Mailing lists > Public > public-webpayments@w3.org > February 2017

Re: Root Key - Browser infrastructure

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sat, 04 Feb 2017 12:26:48 +0000
Message-ID: <CAM1Sok36FLwJCB2H9p8mDmFjE8VKE4noonQSdMU4fr5DoLqRVg@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
Different level.

http://www.certificates-australia.com.au. Is an example of existing

An organisation such as Australia Post (for example purposes only, without
endorsement or suggestion that they're interested in anyway) should be able
to more easily provide sovereign solutions, without the need for
international root-keys as the sole solutions distributed by browsers.

Of course, technical people can easily generate and install their own
should they choose to, as is outside of the scope of my point.


On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <
anders.rundgren.net@gmail.com> wrote:

> First it is important to understand that browsers only provide roots for
> TLS (server) certificates.
> Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft,
> Google, etc. can issue suitable domain certificates with ZERO cost.
> If somebody wants to raise a CA for certifying a few thousand
> organization-servers they can do that, including the inclusion in browsers.
> The cost for these certificates are likely to be $1000 or more.
> To me this looks like a pretty bad business case.
> If there rather is a lingering trust issue here (which some folks are
> prepared paying dearly for...), I'm not aware of any other alternative but
> manually configuring roots in browsers.
> Certificates (or similar) for "people"?  Well, that's an entirely
> different issue (and thread).
> Anders
> On 2017-02-04 03:58, Timothy Holborn wrote:
> > Cross-posted
> >
> > I note that the Root Certificates bundled with Browsers, do not
> universally have sovereign providers (ie: providers operating their HQ from
> a local national provider).  Whilst i can understand the rapid development
> of the web and how this may not have been considered previously, as the use
> of the web continues to develop - isn't it becoming more important?
> Particularly if solutions become bound to browsers...
> >
> > I've done a quick search and found an example for mozilla[1]; but
> moreover,
> >
> > Do we know what the barriers (ie: economic costs for bundling with
> browsers) are for updating this infrastructure via trusted local
> provider(s)?
> >
> > I recently heard the cost for bundling a new Root-CA provider with all
> the browsers was a relatively significant barrier.
> >
> > Whilst these sorts of things (ie: sovereignty considerations / rule of
> law / etc.) have been at the heart of these works, i am finding it
> difficult not to note the finger[2] depicted nationally in recent affairs
> and in the spirit of long-standing precedents[3] value the health, safety
> and welfare that may be born via our efforts.  Of course, as an Australian
> - the affairs of the US administration are quite independent to me; other
> than the fond relationships i have with those who call America home and
> indeed also - that my crypto / data frameworks are most often Choice Of Law
> USA which (as an American legal alien) increasingly concerns me.
> >
> > Whilst i am not advocating for a browser-centric solution to be
> necessary; browsers are difficult things to manage, complex, and the future
> of them is kinda unknown; various storage frameworks provide interesting
> opportunities in-line with W3C standards; and as portions of these sorts of
> AUTH considerations have been within the domain of long-standing issues,
> including that of the function for WebID-TLS and the UX frameworks thereby
> provided; it seemed, this course of consideration (ie: how hard is it to
> make a browser-company policy to lower the cost for PKI for
> decentralisation via lowering the costs) may indeed yield some relatively
> simple ways to both encourage broader involvement, participation and
> consideration via a relatively simple group of policy considerations.
> >
> > I imagine years ago, as a browser company; the income generated this way
> was part of how to make the production of a browser a successful endeavors
> with paid employees (caring for their families, etc.); yet, aren't we a
> little past that now?  We're working on various ID related constituents,
> etc.
> >
> > Even if a solution was Google AU or MS AU or similar.  Still seems
> better to me.
> > /
> > /
> > /"This is because many uses of digital certificates, such as for legally
> binding digital signatures, are linked to local law, regulations, and
> accreditation schemes for certificate authorities."[4]/
> >
> > Timothy Holborn
> >
> >
> > [1]
> https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
> > [2]
> http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
> > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
> > [4] https://en.wikipedia.org/wiki/Certificate_authority
> >
> >
Received on Saturday, 4 February 2017 12:27:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:47 UTC