[cabfpub] Food for Thought

[Chris Palmer]

* What if, as seems to be pretty common, your threat actor is in your
region/country/jurisdiction? This won't help.

* It's impossible to know with certainty, short of an explicit user
preference, what region/country/jurisdiction the user wants the
validity of certificates to be ajudicated for.

* It's generally impossible to know with certainty what
region/country/jurisdiction the CA(s) should validly be operating in.

* Public key pinning is an existing, browser-initiated effort to
reduce this problem. It's under site operator control, so it doesn't
have to rely on failure-prone heuristics like IP geolocation, locale
settings, and so on.

* Root CAs --- audited and publicly-known --- are hardly the only or
even the biggest issue. There is also the "dark matter" in the
SSLiverse: the proliferation of unknown and unaudited but full-powered
intermediate issuers. How to decide with certainty, with the limited
information available at run-time, if they are from the "right"
region/country/jurisdiction?

* What if a user really wants to visit a valid HTTPS site signed by a
CA run by a foreign government or otherwise under foreign control?
This is, after all, the *world-wide* web. Balkanizing it is
technically, socially, and economically counter-productive.

* The last thing we need is security UX complications. "Dear User:
Chrome thinks you are Canadian. Is that correct? Click Yes to begin
rejecting a small subset of the known certification authorities (<a
href=help>What's This?</a>) that Chrome guesses might be operated by
foreign governments and hence not reliable to authenticate the small
subset of Canadian sites we think you will want to look at. Note that
in some cases, you may also be blocked from seeing sites you want to
see, but this will also not protect you from a large number of
potentially rogue intermediate signers (<a href=help>What's This?</a>)
of arbitrary origin. [ Yes ] [ No ] [ Shut Down the Computer ]"