Reductio ad absurdum: it all hinges on the rule of law or the whim of a potentate.
On Sat, Mar 29, 2025, 8:49 AM Wes Kussmaul <w...@reliableid.com> wrote: > > > On 3/28/25 18:04, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > > Aleksandar Kuktin writes: > > > >> ...the "trust" > >> chain originates with the manufacturer, or more accurately with > >> whomever controls the manufacturer, you'll never be in complete control > >> of the device. > -- > > This such an important and overlooked point. > > We partnered with, and invested in, StartCom, a certification authority > that helped us build our Osmio CA. We chose them because of their > reputation for integrity: they actually checked out the claims of domain > owners before signing an x.509 SSL certificate (unlike many others.) > > We were minority shareholders, so when the CEO decided to put the > company up for sale we had no choice but to consent to selling this > business with a noteworthy integrity asset. > > So when a company with a noteworthy asset puts itself up for sale, of > course it attracts buyers who lack that asset - right? So a Chinese > company bought StartCom in order to issue fraudulent x.509 certificates. > > Fortunately they were quickly caught by members of the CA Forum. All the > browser makers quickly deleted the StartCom root from their browsers, > and all of a sudden the users of sites backed by StartCom SSL > certificates got the ugly go-away-do-not-trust-this-site message. > > Certification authorities should be like the vital records departments > of city hall. You may be able to buy the mayor, but everyone in the > vital records department knows that their only asset is their integrity. > You can't buy the vital records department. > > The notion of a commercial certification "authority" is pure folly. > > And attributing enduring significance to a company's privacy practices > (hello Apple) is also folly. A big hedge fund or PE might decide there's > money to be made by buying a controlling interest in Apple and getting > it to act like the rest of Silibandia, stealing and selling personal > information for a big boost in earnings and share value. > > A company is not a person. Unlike a person's character, which is usually > enduring, a company's character is created at the whim of its > controlling shareholder. > > *Wes Kussmaul* > > *Reliable Identities, Inc.* > an Authenticity Enterprise ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T4aedea377a3d63c1-Me89e017e4f44e7959b79d809 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
