[cabfpub] Localized CAs (was: Food for Thought)

[Hill, Brad]

> So Facebook still has to declare some sort of scope and this is an audit control
> rather than an access control?

[Hill, Brad] No, it just buys its cert from a CA that operates in the markets it wants to target - presumably a global CA that does not self-declare any restrictions in its scope.

> 
> How does this provide any more leverage than the EFF observatory, (say)
> pulling the CAA records once a week for all domains with known certs and
> sounding an audit alarm if anything amiss is seen?

[Hill, Brad] Certs mis-issued may not be presented to such a scan, as they were not in the DigiNotar case.

> 
> The Web is either a post-national construct, a multi-national construct or
> both. Early on there were large spaces where no government claimed
> jurisdiction, now the default is that multiple governments might claim
> jurisdiction. Building infrastructure that assumes a one-to-one mapping
> seems obsolete to me in either case.

[Hill, Brad] But governments have and continue to demand (and succeed in getting) their essentially self-certified trust roots placed in the global store.  The least we can do is say something like, yes, [Chinese/Dutch] Government, we will accept your root, but it should only work by default for users browsing in the [Chinese/Dutch] language, others will have to click-through once to trust it.

This isn't about building one-to-one mappings of websites to national jurisdictions.  This is about putting a least-privilege scope on claims of trustworthiness rooted in sovereignty rather than an independently verified audit.  It's about protecting the trans-national nature of Internet trust against the abuse and or incompetence of sovereigns.