W3C home > Mailing lists > Public > public-webpayments@w3.org > February 2017

Re: Root Key - Browser infrastructure

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 4 Feb 2017 13:47:54 +0100
To: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
Message-ID: <49c7de3b-a4b4-6208-3a2e-783ba642b7ee@gmail.com>
On 2017-02-04 13:26, Timothy Holborn wrote:
> Different level.
>
> http://www.certificates-australia.com.au. Is an example of existing solutions.
>
> An organisation such as Australia Post (for example purposes only, without endorsement or suggestion that they're interested in anyway) should be able to more easily provide sovereign solutions, without the need for international root-keys as the sole solutions distributed by browsers.

No such solution have been proposed and browser distribution implies endorsement.

>
> Of course, technical people can easily generate and install their own should they choose to, as is outside of the scope of my point.

That's not what I wrote, installing (not generating) a root certificate is not rocket science but I'm rather suggesting dropping the whole idea.

>
> Tim.h.
>
> On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     First it is important to understand that browsers only provide roots for TLS (server) certificates.
>     Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft, Google, etc. can issue suitable domain certificates with ZERO cost.
>
>     If somebody wants to raise a CA for certifying a few thousand organization-servers they can do that, including the inclusion in browsers.
>     The cost for these certificates are likely to be $1000 or more.
>
>     To me this looks like a pretty bad business case.
>
>     If there rather is a lingering trust issue here (which some folks are prepared paying dearly for...), I'm not aware of any other alternative but manually configuring roots in browsers.
>
>     Certificates (or similar) for "people"?  Well, that's an entirely different issue (and thread).
>
>     Anders
>
>     On 2017-02-04 03:58, Timothy Holborn wrote:
>     > Cross-posted
>     >
>     > I note that the Root Certificates bundled with Browsers, do not universally have sovereign providers (ie: providers operating their HQ from a local national provider).  Whilst i can understand the rapid development of the web and how this may not have been considered previously, as the use of the web continues to develop - isn't it becoming more important? Particularly if solutions become bound to browsers...
>     >
>     > I've done a quick search and found an example for mozilla[1]; but moreover,
>     >
>     > Do we know what the barriers (ie: economic costs for bundling with browsers) are for updating this infrastructure via trusted local provider(s)?
>     >
>     > I recently heard the cost for bundling a new Root-CA provider with all the browsers was a relatively significant barrier.
>     >
>     > Whilst these sorts of things (ie: sovereignty considerations / rule of law / etc.) have been at the heart of these works, i am finding it difficult not to note the finger[2] depicted nationally in recent affairs and in the spirit of long-standing precedents[3] value the health, safety and welfare that may be born via our efforts.  Of course, as an Australian - the affairs of the US administration are quite independent to me; other than the fond relationships i have with those who call America home and indeed also - that my crypto / data frameworks are most often Choice Of Law USA which (as an American legal alien) increasingly concerns me.
>     >
>     > Whilst i am not advocating for a browser-centric solution to be necessary; browsers are difficult things to manage, complex, and the future of them is kinda unknown; various storage frameworks provide interesting opportunities in-line with W3C standards; and as portions of these sorts of AUTH considerations have been within the domain of long-standing issues, including that of the function for WebID-TLS and the UX frameworks thereby provided; it seemed, this course of consideration (ie: how hard is it to make a browser-company policy to lower the cost for PKI for decentralisation via lowering the costs) may indeed yield some relatively simple ways to both encourage broader involvement, participation and consideration via a relatively simple group of policy considerations.
>     >
>     > I imagine years ago, as a browser company; the income generated this way was part of how to make the production of a browser a successful endeavors with paid employees (caring for their families, etc.); yet, aren't we a little past that now?  We're working on various ID related constituents, etc.
>     >
>     > Even if a solution was Google AU or MS AU or similar. Still seems better to me.
>     > /
>     > /
>     > /"This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities."[4]/
>     >
>     > Timothy Holborn
>     >
>     >
>     > [1] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
>     > [2] http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
>     > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
>     > [4] https://en.wikipedia.org/wiki/Certificate_authority
>     >
>     >
>
Received on Saturday, 4 February 2017 12:48:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:47 UTC