[cabfpub] Localized CAs (was: Food for Thought)

[Ryan Hurst]

+1

Sent from my iPhone

On Aug 30, 2012, at 2:08 PM, "Hill, Brad" <bhill at paypal-inc.com> wrote:

>> So Facebook still has to declare some sort of scope and this is an audit control
>> rather than an access control?
> 
> [Hill, Brad] No, it just buys its cert from a CA that operates in the markets it wants to target - presumably a global CA that does not self-declare any restrictions in its scope.
> 
>> 
>> How does this provide any more leverage than the EFF observatory, (say)
>> pulling the CAA records once a week for all domains with known certs and
>> sounding an audit alarm if anything amiss is seen?
> 
> [Hill, Brad] Certs mis-issued may not be presented to such a scan, as they were not in the DigiNotar case.
> 
>> 
>> The Web is either a post-national construct, a multi-national construct or
>> both. Early on there were large spaces where no government claimed
>> jurisdiction, now the default is that multiple governments might claim
>> jurisdiction. Building infrastructure that assumes a one-to-one mapping
>> seems obsolete to me in either case.
> 
> [Hill, Brad] But governments have and continue to demand (and succeed in getting) their essentially self-certified trust roots placed in the global store.  The least we can do is say something like, yes, [Chinese/Dutch] Government, we will accept your root, but it should only work by default for users browsing in the [Chinese/Dutch] language, others will have to click-through once to trust it.
> 
> This isn't about building one-to-one mappings of websites to national jurisdictions.  This is about putting a least-privilege scope on claims of trustworthiness rooted in sovereignty rather than an independently verified audit.  It's about protecting the trans-national nature of Internet trust against the abuse and or incompetence of sovereigns.
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public