W3C home > Mailing lists > Public > public-webpayments@w3.org > February 2017

Re: Alternatives: Re: Root Key - Browser infrastructure

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 5 Feb 2017 18:30:14 +0100
To: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, public-rww <public-rww@w3.org>
Message-ID: <868fdd09-f0e8-c62f-08ee-a4ab2df42201@gmail.com>
On 2017-02-05 17:52, Timothy Holborn wrote:
> Perhaps it is a bad idea. I didn't see anyone else raise it. Perhaps that is why.

Not necessarily. Creating a scalable trust model for the Internet is just such a big question.

DNSSEC has been in the workings for over 15 years and AFAIK it is still only partially deployed.

IP6?  Everything on this level seems to take forever.

I'm in a huuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuurry, NOT :-)

Anders

> On Mon., 6 Feb. 2017, 3:47 am Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2017-02-05 16:38, Timothy Holborn wrote:
>     > Different set of issues.
>
>     There are (almost) always different paths to similar goals.
>
>     You want to pursue your original quest, that's OK.  I respect that but the market (in general) doesn't care HOW you achieve a certain goal, unless it doesn't cost an arm and a leg.
>
>     The proposed alternatives address the security/trust issues but in another (and in mot cases more powerful) way.
>     I understand that your goals go beyond such considerations.
>
>     > Internet is distributed to the world. As are browser and the products made by Google, apple, Microsoft, akamai, etc. Etc.  Why they can't support the delivery of localised
>     > https://en.m.wikipedia.org/wiki/Root_certificate
>     >
>     > Or: Australian citizen --> option for Australian Root-keys are chain,
>     >
>     > I believe in tern brings about important consideration that may influence other aspects to the payments works and other related W3C undertaking.  We have lots of options obviously, but given we are so dependent upon the desires of browser vendors --> seems rational to see what the deal is about this important aspect.
>     >
>     > Unless of course, the design of what is being built would work in a machine where all certificates not provide by a local organisations (both OS and Browser stores?) could be removed from the Machine and the payments and future credentials and whatever else relating to identity constituents would still work.
>     >
>     > Figured it was an important contribution / considerations.
>
>     Anders
>
>
>     Nb: cannot find enough links on the current costs...
>     >
>     > Tim.h.
>     >
>     > On Mon., 6 Feb. 2017, 2:20 am Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>     >
>     >     On 2017-02-04 13:50, Timothy Holborn wrote:
>     >
>     >     > If someone has reference to the current cost structures charged by
>     >      > browser and OS providers for bundling RootCert stuff, links welcomed.
>     >
>     >     IMO the Australian government should rather consider issuing client certificates (or FIDO tokens & IdPs), because (properly used), they provide end-2-end security and thus protect users from bad guys operating at the network level using fake "taxes.gov.au <http://taxes.gov.au> <http://taxes.gov.au>" certificates.
>     >     Note: that doesn't require any new roots in browsers.
>     >
>     >     Even Facebook supports end-2-end security tokens nowadays:
>     >
>     >     https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
>     >
>     >
>     >     My belief is that the number of CAs for the public "TLS PKI" actually will *shrink* because the "Cloud" takes 90% of the market.
>     >     Letsencrypt/ACME will also contribute making this market less unattractive.
>     >
>     >
>     >     When it comes to "sovereignty" the fact is that only the US tech industry managed creating client computing software platforms that have survived on the market.
>     >     We other (Aussies, Europeans, Asians, etc) FAILED, EPICALLY.
>     >
>     >     Cheers,
>     >     Anders
>     >
>     >     PS I'm sure you will continue your crusade against the "Browser Tyranny". I'm actually doing that as well but through "Apps" which is how 99% (guesstimate) of the world are dealing with an impossible situation. DS
>     >     https://play.google.com/store/apps/details?id=org.webpki.mobile.android
>     >
>     >     >
>     >     > Tim.h.
>     >     >
>     >     >
>     >     > On Sat., 4 Feb. 2017, 11:48 pm Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>>> wrote:
>     >     >
>     >     >     On 2017-02-04 13:26, Timothy Holborn wrote:
>     >     >>     Different level.
>     >     >>
>     >     >>     http://www.certificates-australia.com.au. Is an example of existing solutions.
>     >     >>
>     >     >>     An organisation such as Australia Post (for example purposes only, without endorsement or suggestion that they're interested in anyway) should be able to more easily provide sovereign solutions, without the need for international root-keys as the sole solutions distributed by browsers.
>     >     >
>     >     >     No such solution have been proposed and browser distribution implies endorsement.
>     >     >
>     >     >>
>     >     >>     Of course, technical people can easily generate and install their own should they choose to, as is outside of the scope of my point.
>     >     >
>     >     >     That's not what I wrote, installing (not generating) a root certificate is not rocket science but I'm rather suggesting dropping the whole idea.
>     >     >
>     >     >
>     >     >>
>     >     >>     Tim.h.
>     >     >>
>     >     >>     On Sat., 4 Feb. 2017, 11:21 pm Anders Rundgren, <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>>> wrote:
>     >     >>
>     >     >>         First it is important to understand that browsers only provide roots for TLS (server) certificates.
>     >     >>         Secondly, hosting providers like Alibaba, Godaddy, Amazon, Microsoft, Google, etc. can issue suitable domain certificates with ZERO cost.
>     >     >>
>     >     >>         If somebody wants to raise a CA for certifying a few thousand organization-servers they can do that, including the inclusion in browsers.
>     >     >>         The cost for these certificates are likely to be $1000 or more.
>     >     >>
>     >     >>         To me this looks like a pretty bad business case.
>     >     >>
>     >     >>         If there rather is a lingering trust issue here (which some folks are prepared paying dearly for...), I'm not aware of any other alternative but manually configuring roots in browsers.
>     >     >>
>     >     >>         Certificates (or similar) for "people"?  Well, that's an entirely different issue (and thread).
>     >     >>
>     >     >>         Anders
>     >     >>
>     >     >>         On 2017-02-04 03:58, Timothy Holborn wrote:
>     >     >>         > Cross-posted
>     >     >>         >
>     >     >>         > I note that the Root Certificates bundled with Browsers, do not universally have sovereign providers (ie: providers operating their HQ from a local national provider).  Whilst i can understand the rapid development of the web and how this may not have been considered previously, as the use of the web continues to develop - isn't it becoming more important? Particularly if solutions become bound to browsers...
>     >     >>         >
>     >     >>         > I've done a quick search and found an example for mozilla[1]; but moreover,
>     >     >>         >
>     >     >>         > Do we know what the barriers (ie: economic costs for bundling with browsers) are for updating this infrastructure via trusted local provider(s)?
>     >     >>         >
>     >     >>         > I recently heard the cost for bundling a new Root-CA provider with all the browsers was a relatively significant barrier.
>     >     >>         >
>     >     >>         > Whilst these sorts of things (ie: sovereignty considerations / rule of law / etc.) have been at the heart of these works, i am finding it difficult not to note the finger[2] depicted nationally in recent affairs and in the spirit of long-standing precedents[3] value the health, safety and welfare that may be born via our efforts.  Of course, as an Australian - the affairs of the US administration are quite independent to me; other than the fond relationships i have with those who call America home and indeed also - that my crypto / data frameworks are most often Choice Of Law USA which (as an American legal alien) increasingly concerns me.
>     >     >>         >
>     >     >>         > Whilst i am not advocating for a browser-centric solution to be necessary; browsers are difficult things to manage, complex, and the future of them is kinda unknown; various storage frameworks provide interesting opportunities in-line with W3C standards; and as portions of these sorts of AUTH considerations have been within the domain of long-standing issues, including that of the function for WebID-TLS and the UX frameworks thereby provided; it seemed, this course of consideration (ie: how hard is it to make a browser-company policy to lower the cost for PKI for decentralisation via lowering the costs) may indeed yield some relatively simple ways to both encourage broader involvement, participation and consideration via a relatively simple group of policy considerations.
>     >     >>         >
>     >     >>         > I imagine years ago, as a browser company; the income generated this way was part of how to make the production of a browser a successful endeavors with paid employees (caring for their families, etc.); yet, aren't we a little past that now?  We're working on various ID related constituents, etc.
>     >     >>         >
>     >     >>         > Even if a solution was Google AU or MS AU or similar.  Still seems better to me.
>     >     >>         > /
>     >     >>         > /
>     >     >>         > /"This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities."[4]/
>     >     >>         >
>     >     >>         > Timothy Holborn
>     >     >>         >
>     >     >>         >
>     >     >>         > [1] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
>     >     >>         > [2] http://www.smh.com.au/world/wrecking-ball-with-steve-bannon-in-charge-of-security-what-does-donald-trump-mean-for-usaustralia-relations-20170202-gu4kgw.html
>     >     >>         > [3] _https://www.youtube.com/watch?v=aiFIu_z4dM8 _
>     >     >>         > [4] https://en.wikipedia.org/wiki/Certificate_authority
>     >     >>         >
>     >     >>         >
>     >     >>
>     >     >
>     >
>
Received on Sunday, 5 February 2017 17:31:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:47 UTC