I have not had anything to do with CABForum for many a year. I have not been in the CA business either.
On Tue, Aug 13, 2024 at 8:02 PM George Michaelson <ggm@xxxxxxxxxxxx> wrote:
My problem with CAB is lack of clue about its governance.All discussion of community led alternates will have the same problems as CAB in terms of engagement with LEA, international sanctions and my lack of clue about their governance.I continue to believe that awkward as it would be, browsers should ship with a number of trust anchors closer to zero apart from their own code signing root.We should have been trained to manage trust for ourselves or under our local administrators control, not an occluded set of 400+ trust points which we blithely accept.. until it goes wrong.
+0.5
The goal should be to put CONTROL in the hands of individual users but they should not necessarily have to exercise that control directly, they should be able to delegate the curation task to the security provider of their choice. So instead of Google or Microsoft or Firefox curating roots, I might delegate that to McAfee, Symantec or Comodo (neither of which are CAs at this point).
The way I plan to do this in the Mesh is that when a device is bound to a personal mesh, it is provisioned with the root of trust for that user for WebPKI, DNSSEC, etc.
I am not so exercised about Chinese CAs issuing certificates but I do find life a lot less hassle with these new extension TLDs blocked.
