My problem with CAB is lack of clue about its governance.
All discussion of community led alternates will have the same problems as CAB in terms of engagement with LEA, international sanctions and my lack of clue about their governance.
I continue to believe that awkward as it would be, browsers should ship with a number of trust anchors closer to zero apart from their own code signing root.
We should have been trained to manage trust for ourselves or under our local administrators control, not an occluded set of 400+ trust points which we blithely accept.. until it goes wrong.
I realise this is not feasible, counterfactual and has many problems. I continue to actually depend on the thing that concerns me.
Btw, seeing names I know and recognise say they are aware and part of CAB process is helpful. I appreciate the work done.
G
On Tue, 13 Aug 2024, 5:21 am Nick Lockheart, <lists@xxxxxxxxxxxxxx> wrote:
I'm very concerned about the move to "TLS Everywhere". Not because I am
opposed to TLS security, but because of how TLS is currently
implemented in major browsers.
The Internet is supposed to be open for all. And historically, it has
been. Anyone can create a website and post it online, and there aren't
any gatekeepers.
The problem with TLS, however, is that all major browsers will block
your website unless you have a certificate signed by one of a small
handful of "Chosen Few" Certificate Authorities that are hard-coded
into the browser.
This effectively means that in order to add TLS to your website, you
need permission from a very small handful of approved people.
This makes the TLS/HTTP2 Internet almost like an app store. You can't
run an app on an iPhone without Apple's permission, and you won't be
able to have a website that isn't blocked, unless you get a signature
from Verisign, Comodo, or "Let's Encrypt".
Let's Encrypt doesn't solve this problem. It's free to put an app in
the Apple app store, too.
It's the permissions, or the gate-keeping, that is the issue.
In order for the Internet to remain free and open, we need a system
where websites can use TLS security, and have their pages load in all
major browsers, **without** needing any permission from a TLS
Gatekeeper.
In short, the current TLS system, as implemented, is a backdoor to
Internet censorship. We need to come together and find a better way.
