On 2025-06-19 01:58:05, Andrew Chen wrote:
Somewhat tongue in cheek -- have you considered buying certificates from
CAs distrusted by Chrome and Mozilla? If you're operating outside of the
WebPKI ecosystem, I'm guessing you don't really care about the CA distrusts
have occurred over the last few years (or ever?). Perhaps DigiCert would be
willing to sell you a certificate with the clientAuth EKUs from their
distrusted Symantec and Verisign roots? Another option might be any of the
distrusted Entrust roots.
Andrew
Well are they still trusted by the operating system then?
The netire point of using the Web-PKI was because it is the common
denominator of all of the different platforms and therefore universally
supported.
The issue with the current policy change is taht you can't even buy such
certs anymore as now all of them are as good as if you'd just self
signed them to begin with.
So the issue remains what certificate to I present that you trust
without having interacted with me before to properly authenticate the
system using its dns domain or ip address? All that your server cares
about is that my server is from the domain it claims to be from (aka
that no maliciouse 3rd party can impersonate it. Incliding for the very
first connection our systems ever made. Regardless of your system
connecting to my system or my system connecting to yours. And not just
with two parties but with an unknown and constantly changing number of
parties that are spread out globally. So how would using the Symantec or
Entrust roots help in these deployments? And even more interestingly how
would it be secure? I mean why would anyone trust them after they have
already lost their trust within the Web-PKI years ago? Managing what is
and is not trusted is one of the reasons why PGP with the Web of Trust
never managed to replace the Web-PKI...
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
