đź“… Original date posted:2012-11-26
đź“ť Original message:On Mon, Nov 26, 2012 at 6:44 PM, Luke-Jr <luke at dashjr.org> wrote:
> On Monday, November 26, 2012 11:32:46 PM Gregory Maxwell wrote:
>> Obviously the state of the world with browsers is not that good... but
>> in our own UAs we can do better and get closer to that.
>
> This effectively centralizes Bitcoin (at least in the eyes of many) and even
> if each competing client had their own list, you'd be back to the original
> "problem" of not being sure your CA is on all lists.
Thats the CA model generally. It _is_ a distributed-centralized model
in practice.
>> Would you find it acceptable if something supported a static whitelist
>> plus a OS provided list minus a user configured blacklist and the
>> ability for sophisticated users to disable the whitelist?
>
> How is this whitelist any different from the list of CAs included by default
> with every OS?
Because the list is not identical (and of course, couldn't be without
centralizing control of all OSes :P ) meaning that the software has to
be setup in a way where false-positive authentication failures are a
common thing (terrible for user security) or merchants have to waste a
bunch of time, probably unsuccessfully, figuring out what certs work
sufficiently 'everwhere' and likely end up handing over extortion
level fees to the most well established CAs that happen to be included
on the oldest and most obscure things.
Taking— say— the intersection of Chrome, Webkit, and Firefox's CA list
as of the first of the year every year and putting the result on a
whitelist would be a possible nothing-up-my-sleeve approach which is
not as limited as having some users subject to the WinXP cert list,
which IIRC is very limited (but not in a way that improves security!).
Jeff wrote:
> Self-signed certs are quite common, because it is easier, while being
> more secure than http://
Uhh. Really? Well, I agree with you that they should be (I
unsuccessfully lobbied browser vendors to make self-signed https on
http URLs JustWork and simply hide all user visible evidence of
security), but the really nasty warnings on those sites undermines the
security of the sites _and_ of other HTTPS sites because it conditions
users to click ignore-ignore-ignore. I don't think they are all that
common.
One thing which I think will be hard for us in this discussion is
being sensitive to the (quite justified!) concerns that the current CA
system is absolute rubbish, both terrible for security, usability, and
an unreasonable barrier to entry relative to the provided security—
without allowing the discussion to be usurped by everyone's pet
replacement, which there are a great many of with varying feasibility
and security.
Perhaps we should agree to talk about everything _except_ that first?
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 10:39:50
in reply to nevent1q…jcef
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 10:39:50Event JSON
{
"id": "afdc4e64f335575351f76109b6f1d1cfad9432245b3f002426762d9bd22a3b29",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686134390,
"kind": 1,
"tags": [
[
"e",
"f5f2400f8aa8a7067be3d080f096fd7cbfeecdd6e589c178b85b63a9338150a5",
"",
"root"
],
[
"e",
"8289270041d70f5483c9476e29c8b353d91c69a63716d947a39762b8512ea1df",
"",
"reply"
],
[
"p",
"6ac6a519b554d8ff726a301e3daec0b489f443793778feccc6ea7a536f7354f1"
]
],
"content": "📅 Original date posted:2012-11-26\n📝 Original message:On Mon, Nov 26, 2012 at 6:44 PM, Luke-Jr \u003cluke at dashjr.org\u003e wrote:\n\u003e On Monday, November 26, 2012 11:32:46 PM Gregory Maxwell wrote:\n\u003e\u003e Obviously the state of the world with browsers is not that good... but\n\u003e\u003e in our own UAs we can do better and get closer to that.\n\u003e\n\u003e This effectively centralizes Bitcoin (at least in the eyes of many) and even\n\u003e if each competing client had their own list, you'd be back to the original\n\u003e \"problem\" of not being sure your CA is on all lists.\n\nThats the CA model generally. It _is_ a distributed-centralized model\nin practice.\n\n\u003e\u003e Would you find it acceptable if something supported a static whitelist\n\u003e\u003e plus a OS provided list minus a user configured blacklist and the\n\u003e\u003e ability for sophisticated users to disable the whitelist?\n\u003e\n\u003e How is this whitelist any different from the list of CAs included by default\n\u003e with every OS?\n\nBecause the list is not identical (and of course, couldn't be without\ncentralizing control of all OSes :P ) meaning that the software has to\nbe setup in a way where false-positive authentication failures are a\ncommon thing (terrible for user security) or merchants have to waste a\nbunch of time, probably unsuccessfully, figuring out what certs work\nsufficiently 'everwhere' and likely end up handing over extortion\nlevel fees to the most well established CAs that happen to be included\non the oldest and most obscure things.\n\nTaking— say— the intersection of Chrome, Webkit, and Firefox's CA list\nas of the first of the year every year and putting the result on a\nwhitelist would be a possible nothing-up-my-sleeve approach which is\nnot as limited as having some users subject to the WinXP cert list,\nwhich IIRC is very limited (but not in a way that improves security!).\n\nJeff wrote:\n\u003e Self-signed certs are quite common, because it is easier, while being\n\u003e more secure than http://\n\nUhh. Really? Well, I agree with you that they should be (I\nunsuccessfully lobbied browser vendors to make self-signed https on\nhttp URLs JustWork and simply hide all user visible evidence of\nsecurity), but the really nasty warnings on those sites undermines the\nsecurity of the sites _and_ of other HTTPS sites because it conditions\nusers to click ignore-ignore-ignore. I don't think they are all that\ncommon.\n\nOne thing which I think will be hard for us in this discussion is\nbeing sensitive to the (quite justified!) concerns that the current CA\nsystem is absolute rubbish, both terrible for security, usability, and\nan unreasonable barrier to entry relative to the provided security—\nwithout allowing the discussion to be usurped by everyone's pet\nreplacement, which there are a great many of with varying feasibility\nand security.\n\nPerhaps we should agree to talk about everything _except_ that first?",
"sig": "1f307f36387a3d46c4d3fdc1346ee94223580e84ef41e3096d263c31489f0b6b2504254687d2b58554d0ffb1205a2d078482ec15375cbb9090fd5e5b355e8c41"
}