On Wed, Jun 18, 2025 at 09:19:09PM +0000, Klaus Frank wrote:
>
> (resent without breaking the thread)
>
> It also was already tried to make Google reconsider. But to no avail.
> Basically they don't care about the practical issues and at most say
> "just roll your own PKI" as everyone apparently should just stop using
> the Web-PKI for other services entirely. Well only issue is that there
I think that's an exaggeration of the actual reality ("everyone should
just stop using the Web PKI for other services entirely").
While we should not be surprised that the Web PKI is being managed for
the benefit of the Web ecosystem with only minimal consideration toward
other ecosystems, the very nature of the Web as decentralized, open,
and with server authentication fundamentally chaining toward effective
control of DNS names implies that quite a lot of non-Web services will
continue to be able to shoehorn their needs into something compatible
with the Web model and thus continue to use the Web PKI. There is some
level of risk in doing this, though, since such non-Web usage is not
reflected by any primary stakeholders in the Web PKI management and thus
the PKI could evolve out from under such usage (which feels like what
we are seeing here).
> is basically no other PKI infrastructure to migrate towards. Especially
> none that can be assumed to be universally trusted. Call it lazyness or
> whatever but almost everyone relied upon the Web-PKI. Or does anyone
> know a single one that is e.g. trusted by all operating systems but not
> by web browsers that could be used here?
The other big open/distributed PKI that is widely trusted is the DNSSEC
KPI. It is, of course, managed primarily for the benefit of the DNS ecosystem,
but just like the Web PKI it can be leveraged by other consumers for various
purposes, e.g., via DANE as Viktor has already noted.
Given that it takes a pretty significant investment to develop the needed
policies to define the goals and operations of a PKI and provide secure
operation for the root key(s), it does not suprise me that very few
ecosystems have committed the resources to build their own PKI from scratch.
But a robust PKI is just not something to assume you can get for free.
-Ben
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
