On Tue, 13 Aug 2024 at 08:17, Tobias Fiebig <tobias=40fiebig.nl@xxxxxxxxxxxxxx> wrote:
Also note that, in the end, you'd have to have the CA Browser Forum on
board. And the browser vendors. And as things stand, that is--
effectively--just google (chromium) and a bit of safari (iirc) and
firefox (really, just a bit).
I think this is the real issue here - the trust root isn't "a whole bunch of CAs", instead the "keys to the internet" are owned by the CA Browser Forum, which is dominated by a handful of players (and only concerned with the Web, not any other services).
One problem is that asymmetric cryptography implies asymmetric trust - that is, if I can get a certificate from anywhere, I will do so from a source I trust (well, you'd think). But clients/callers/initiators will trust a potentially different source.
End users are generally not a stakeholder in this - they have little choice but to trust whatever their mobile operating system provider, browser, etc tells them to. Take Android - you can't add your own trust anchors there since the system won't let apps use those unless they're essentially debug flagged. "It's for your own good".
Any solution to the general problem Nick identifies is going to need to navigate its way through both ends, and actually provide the end users something they might want (if anyone would ask them). I've no clue what the solutions here might be, but I'm interested in brainstorming.
Dave.