Any "non-profit organization" would be registered in some jurisdiction that may dictate rules and own the Internet in this way. "non-profit organization" would just help to hide the ownership. It is not a solution, it is the opposite. IMHO: Browsers should automatically download root certificates from the local government authority. Government Certificates should apply to the country domains only. Governments should be not capable of deleting/preempting certificates of other jurisdictions. Hence, trust here could be connected to the country's DNS domain owner (like ".us"). It is possible to assume that every such organization is the root certificate authority by default. Governments would find how to negotiate with them very quickly😊 Browsers could be filtered by some jurisdictions in the not-very-distant future. it is already very visible that the Internet is heavily used for politics or even war. Governments would tighten control over the Internet as a result. Give them tools to control what they like to control or they will do much bigger harm by their non-professional intrusion. Ed/ -----Original Message----- From: Nick Lockheart <lists@xxxxxxxxxxxxxx> Sent: Tuesday, August 13, 2024 01:42 To: ietf@xxxxxxxx Subject: Re: TLS Everywhere On Mon, 2024-08-12 at 17:42 -0400, Andrew Newton (andy) wrote: > > On 8/12/24 15:20, Nick Lockheart wrote: > > The problem with TLS, however, is that all major browsers will block > > your website unless you have a certificate signed by one of a small > > handful of "Chosen Few" Certificate Authorities that are hard-coded > > into the browser. > > > Hi Nick, > > Does DANE and TLSA solve your problem? > > It doesn't appear that the major browsers directly support it, but > experiments with it date back over 10 years [1] [2]. > > Browsing the DNS related RFCs [3], I don't see an equivalent to RFC > 7672 > so maybe that's a contribution the IETF could use. > > I hope you find any of this helpful. > > -andy > > Thank you Andy, I have read through the linked article about SMTP security. I think the issue with DANE (for websites) is that it relies on DNSSEC, which unfortunately, turns into a debate over "who gets to own the keys to the entire Internet". I am certainly interested in brainstorming ways to validate a TLS certificate *without* the need for DNSSEC. I think this could actually be done with some non-profit organizations, and could provide at least the same level of security as the Domain Validation checks done by organizations like "Let's Encrypt", but without needing a Certificate Authority that can sign on behalf of *any* site, and without sites needing a signature from a small list of Certificate Authorities. I could write up more details if people are interested. I wanted to make sure this was the right place to discuss it first, though. Thanks, Nick