Bonjour, Le mardi 7 juillet 2015 03:02:48 UTC+2, Peter Bowen a écrit : > Thinking about this from a technical perspective, rather than a > political one, this seems very similar to a user deciding to add > additional certificates to their trust store. I think the primary > differences are the need to add a set of certificates and possibly > automatically update the list. > > If there was a standard for publishing trust lists where the list > comes in one file and is signed, then I can imagine an option to > "import list" and the list could contain a URL to fetch new versions.
You mean, like the ETSI TS 102231 standard? It is used today by European members, and European Commission. The first list of lists is located at https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml and references 31 national lists of trust services. The standard defines both a (somewhat obsolete) ASN.1 encoding, and a (currently used) XML encoding for this list. > Then the user could simply select to use the "EU Trust List", the > "China Trust List", or the "US Government Trust List". The browser > would periodically fetch new versions of the list, validate the > signature (using the key of the previous list), and switch to that > list. Microsoft already has their SST format; possibly this could be > the starting point for an open format usable by all. > > This would avoid the need for a vendor to maintain hundreds of trust > lists and allow customers to deploy their own trust list policies. I don't like it, but I'm afraid european users will be more or less supposed to trust what is declared in a TSL. Because of eIDAS. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
