On Mon, December 31, 2012 10:23 am, Kai Engert wrote: > On Mon, 2012-12-31 at 16:26 +0100, Kai Engert wrote: > > I propose to more actively involve users into the process of accepting > > certificates for domains. > > I propose the following in addition: > > Each CA certificate shall have a single country where the CA > organization is physically located (they already contain that). > > If the CA's country matches the country of the domain being visited, > then we proceed automatically. > > Example: A US based CA and a user visiting a .us site. > > If the domain being visited is a non-country specific domain, like .com > or .org, then we could securely query the domain registry. We could > "pin" in the software, which set of CAs are allowed for talking SSL/TLS > to a domain registry. The CA should be located in the same country where > the root zone of that domain is being operated. > > We learn that a specific domain is registed in the US. If the CA used by > the site is based in the US, too, everything is fine. Or if the domain > is registed in Germany, and the site presents a certificate from a > german CA, we could accept it too. > > For all scenarios where we see a mismatch, it could be argued that > something is wrong, and we could use the UI that I have described. Maybe > that can be further enhanced. > > This system would encourage local authorities, and reduce the power of > the currently big players in the CA world. > > (I'd prefer such a system over DNSSEC, where everything chains up to a > single key in just one country.) > > Kai > > (Credits: Thanks to @_not_you who suggested to find some heuristic to > improve this proposal.) >
So far, the two proposals are: 1) Nag the user whenever they want to make a new secure connection. This nag screen is not shown over HTTP, so clearly, HTTP is preferable here. 2) Respect national borders on the Internet. If anything, the more user interaction, even once, of a technically complex nature, is enough to disincentivize any site operator from using SSL. "Oh, my Firefox users are going to see a prompt? I don't want to send them to SSL then, because they'll complain / it will be a lost sale." Even once is enough. Otherwise, why would sites even bother getting a CA certificate, since they can already condition users to 'pin' to their self-signed cert by virtue of clicking through. I don't see national borders on the Internet an even remotely plausible idea. Why should Americans trust their governments (who have the legal force to compel CAs operating in the US) more than those in Iran trust theirs (who also have the legal force to compel CAs operating in Iran) I cannot take any proposal to "more actively involve users in the process of accepting certificates for domains", because for the millions of users, that very statement is too much. We don't actively involve users in handling of Duns and Bradstreet numbers, we don't actively involve users in handling corporate tax returns, and we certainly don't involve users in supply chain provenance, so why is the certificate somehow 'more' accessible? If the goal is to reduce power or risk, then something like Certificate Transparency should be the game. Having transparent reports of issuance and the ability to monitor for misissuance should be the end goal - whether you're operating a CA that serves 50 domains or 500 million domains. It's highly elitist to suggest those 500 million are worth more than those 50 - especially if real users' lives are at risk for those 50 domains. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
