|
Hi Ted, I am a client of the biggest bank (by all parameters: number of clients, money, whatever) in my country. The US has requested all certificate authorities to ban this bank. They did cancel certificates that have been prepaid for up to 10
years. I have manually installed the root certificate in the firefox to access the bank. The majority of people (tens of millions) did follow the advice to use a locally developed browser that has a proper certificate pre-installed. Is it a proper example? For all CAs. Eduard From: Ted Hardie <ted.ietf@xxxxxxxxx> Hi Nick, It sounds like you don't have a problem with TLS, but do have a concern that the CA/Browser forum's choices might limit the number of websites that are able to use TLS. First, can you indicate any specific
CAs which have sought approval and been denied? Specifically are there any that met the baseline requirements (https://cabforum.org/working-groups/server/baseline-requirements/)
and were denied? Have you talked to the CA/Browser forum about this topic? Second, you mention Let's Encrypt and note it doesn't solve the problem. Acme is meant to lower the administrative burden for getting and using TLS certificates and it has been an enormous success, in part
because Let's Encrypt lowered the cost associated with getting a certificate to zero. The costs of a CA were formerly one of the most serious barriers to deployment. Having one of the available CAs be both free and easy to configure certainly seems to contribute
to an Internet that is both open to all and secure for anyone who cares to press the right buttons. Let's Encrypt is not so much a gatekeeper as a helpful friend holding the door for you. Third, your call to action is this:
In order for the Internet to remain free and open, we need a system TLS security requires authentication and PKIs are mostly the way that authentication is delivered. If you want to propose other authentication methods or adopt other authentication methods, I think you'd
need to have some evidence that those methods provide equivalent security and are easier to use. Andy has mentioned DANE/TLS-A as an alternative; while it is a possible route away from CAs, it can be daunting to configure and a wholesale switch to it seems
unlikely. Do you have an actual alternative to CAs to propose? As full disclosure, I was one of the first chairs of ACME and my company (and specifically my group) supports the work of ISRG/Let's Encrypt financially. regards, Ted Hardie On Mon, Aug 12, 2024 at 8:21 PM Nick Lockheart <lists@xxxxxxxxxxxxxx> wrote:
|
