Hi Dennis Admittedly, I'm not understanding how this extension enables government coercion. It seems like, with or without this extension, the path is still the same: you'd need to force a browser to ship with a government-issued CA installed. Nothing about this makes that easier. It /is/ somewhat nice to already have a way to signal that a given client does/doesn't support the government CA -- but you could just as easily do this with a simple extension from the private range, so I'm not sure that was a big blocker.
On the other hand, this draft solves a number of existing security issues, by allowing more rapid distrust of failed CAs, by allowing clients to signal support for short-lived certificates, etc. On Mon, Apr 29, 2024 at 6:06 PM Dennis Jackson <ietf= 40dennis-jackson...@dmarc.ietf.org> wrote: > Thanks <https://last-chance-for-eidas.org/>, I > <https://security.googleblog.com/2023/11/qualified-certificates-with-qualified.html> > am > <https://www.google.com/search?q=site%3Aapple.com+eidas+-podcast+-music+-store&sca_esv=30517ea669904188&ei=QEMwZvmdAc2lhbIPpY6Q4AY&ved=0ahUKEwj5vZ7x3uiFAxXNUkEAHSUHBGwQ4dUDCBA&uact=5&oq=site%3Aapple.com+eidas+-podcast+-music+-store&gs_lp=Egxnd3Mtd2l6LXNlcnAiK3NpdGU6YXBwbGUuY29tIGVpZGFzIC1wb2RjYXN0IC1tdXNpYyAtc3RvcmVI2RBQmAVY7A9wAXgAkAEAmAHCAaABlQSqAQM1LjG4AQPIAQD4AQGYAgCgAgCYAwCIBgGSBwCgB44C&sclient=gws-wiz-serp> > aware > <https://www.google.com/search?q=site%3Ablogs.microsoft.com+eidas&sca_esv=30517ea669904188&tbs=cdr%3A1%2Ccd_min%3A1%2F1%2F2021&ei=okMwZoivKbCMhbIP1vOquAg&ved=0ahUKEwiIiKSg3-iFAxUwRkEAHda5CocQ4dUDCBA&uact=5&oq=site%3Ablogs.microsoft.com+eidas&gs_lp=Egxnd3Mtd2l6LXNlcnAiHnNpdGU6YmxvZ3MubWljcm9zb2Z0LmNvbSBlaWRhc0ihE1DECljZEXABeACQAQCYAYMBoAHhA6oBAzUuMbgBA8gBAPgBAZgCAKACAJgDAIgGAZIHAKAHjgI&sclient=gws-wiz-serp>. > > On 30/04/2024 01:39, S Moonesamy wrote: > > Hi Dennis, > At 04:20 PM 29-04-2024, Dennis Jackson wrote: > > Thankfully these efforts have largely failed because these national CAs > have no legitimate adoption or use cases. Very few website operators would > voluntarily use certificates from a national root CA when it means shutting > out the rest of the world (who obviously do not trust that root CA) and > even getting adoption within the country is very difficult since adopting > sites are broken for residents without the national root cert. > > > There are ways to promote adoption of a government-mandated CA. The > stumbling point is usually browser vendors, e.g. > https://blog.mozilla.org/netpolicy/files/2021/05/Mozillas-Response-to-the-Mauritian-ICT-Authoritys-Consultation.pdf > > I see that you already mentioned BCP 188. > > Regards, > S. Moonesamy > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
