On Fri, 23 May 2025, Eliot Lear wrote:
It's not that hypothetical. I bring to your attention draft-halen-fedae
<https://datatracker.ietf.org/doc/draft-halen-fedae/>, which has been
deployed in Sweden to create trust within a federation of private CAs. But
it's not sufficient for non-federated or non-prearranged use cases. This
draft focuses on m2m, and specifically excludes web-based transaction,
because the security analysis required for browser interactions is a hard
problem.
I'm having trouble coming up with plausible scenarios where the only thing
you know about a client is that some CA said their domain is OK.
Federated private CAs implement business relationships among the
organizatiosns. Some random person saying "hi, I am foo.bar.com" provides
what? I don't get it.
I suppose there's the model PHB proposed, where it's sort of a mutant
OpenID, but domains don't seem like the right level of granularity.
Also, after two decades, OpenID hasn't exactly been a stunning success.
Regards,
John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/PVWGVJMKS2I4VBHUITB7BVSRCCDS3M6L/
