kravietz 🦇 (npub1vz5…qdta) npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl (npub12wf…8kwl) npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 (npub199w…n803) npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq (npub1llz…08cq)
If someone wants to make better EV, sure, I don't expect that to be very beneficial (because e.g. avoidance of misleadingly similar names across different countries is likely to be at least as large a problem), but I have nothing against it in principle (I might strongly object to implementations that end up imposing costs on unwilling participants, but I have no reason to expect any random implementation to be like that).
I don't get why the regulation has to compel anyone to trust those root signing keys, esp. for reasons unrelated to anything EV-like (yes, we can't disentangle that _now_, but I don't see why we'd want to compel that at all). I would understand the regulation compelling browsers not to trust any other root signing keys _for some subset of the org hierarchy_. We have a significant amount of history of the CAB forum to show that (a) CAs that have a reason for their existence that's not satisfied by another CA and that's relevant for HTTPS get accepted (b) CAs get distrusted in cases where they have demonstrated lack of will or ability to ensure appropriate verification before/procedure around issuing certs or to respond truthfully. Many of these cases relied on participants' knowledge about what's reasonable and about nonobvious potential consequences (v. all the amusing ways of detrusting future certs only), so I am by default doubtful that whatever procedure eIDAS provides for is going to be less manipulatable by the CAs.
It's not only GAFAD that cares mostly about DV. If the domain owner has no legal identity that is relevant (e.g. is a person), then they don't care for anything EV-like. A small business/organisation might also not care for EV, because it's just as easy for them to make people aware of the legal name as it is to make them aware of the domain (I'm not certain about legal names of 3/4 small local businesses/organisations that I could recall on the spot, but could recall the domain names of their websites). I expect that this is mostly beneficial for companies of the size of Ford or Migros, but for such companies the problem of international name near-collisions starts to appear (because the user is unlikely to reliably remember what country the company should be from).
Also, DV if important insofar it's trusted by browsers. Cookies, local storage, meaning of "same origin" are all bound to domains, not subtrees of organisation space. This make me consider DV as important for anyone who actually has users' private data and serves it back to them.
npub1v6…s9004
2023-11-11 17:08:01
in reply to nevent1q…0w38
Author Public Key
npub1v67gmn7f4vlg3fcrk8up3p08rkmqqaxmw0he3hf9f8h09jre332qds9004Seen on
wss://relay.nostr.bandPublished at
2023-11-11 17:08:01Event JSON
{
"id": "323fa7aec748a899625e4295fdcbb3bc895a3fa1dbf2fa9b2ff0018a1b4c97ae",
"pubkey": "66bc8dcfc9ab3e88a703b1f81885e71db60074db73ef98dd2549eef2c8798c54",
"created_at": 1699722481,
"kind": 1,
"tags": [
[
"p",
"60a94a39eef05a48fcb0b214f57ecd9c81ffd70bd7beaa274732ae7ae7dcf0ea",
"wss://relay.mostr.pub"
],
[
"p",
"5392447a7f90cf7553a163f0a4b00d57e8dc6da4de0ad89bc2691465884be920",
"wss://relay.mostr.pub"
],
[
"p",
"295d8721966e7ce9f14aec3a507d1e70bf2aa53a84416db21b45929ee42aacee",
"wss://relay.mostr.pub"
],
[
"p",
"ffc460e3588b8aabe05ca95b036120b068bf9534cc5fc18d09530eb04f9e0d91",
"wss://relay.mostr.pub"
],
[
"p",
"16c19e6e50f04807261ee4ea3c3410f6ffd65cbb122e2d7e150c1b4ad98439be",
"wss://relay.mostr.pub"
],
[
"p",
"ff941f32190d7b997560f178c1c4c705b6668a40473a057474ba590ebd85744f",
"wss://relay.mostr.pub"
],
[
"p",
"3ef68672b5a78c720e038b657bcd213f2e1a41d2d272dd48836c701e3d8e4e13",
"wss://relay.mostr.pub"
],
[
"e",
"21c4fddc0a3d5b049fe04bdf71fa7199b01d15a1b260f75d752a2b42fcd239b5",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://qoto.org/users/robryk/statuses/111393012529016608",
"activitypub"
]
],
"content": "nostr:npub1vz555w0w7pdy3l9skg202lkdnjqll4ct67l25f68x2h84e7u7r4qmrqdta nostr:npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl nostr:npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 nostr:npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq \n\nIf someone wants to make better EV, sure, I don't expect that to be very beneficial (because e.g. avoidance of misleadingly similar names across different countries is likely to be at least as large a problem), but I have nothing against it in principle (I might strongly object to implementations that end up imposing costs on unwilling participants, but I have no reason to expect any random implementation to be like that).\n\nI don't get why the regulation has to compel anyone to trust those root signing keys, esp. for reasons unrelated to anything EV-like (yes, we can't disentangle that _now_, but I don't see why we'd want to compel that at all). I would understand the regulation compelling browsers not to trust any other root signing keys _for some subset of the org hierarchy_. We have a significant amount of history of the CAB forum to show that (a) CAs that have a reason for their existence that's not satisfied by another CA and that's relevant for HTTPS get accepted (b) CAs get distrusted in cases where they have demonstrated lack of will or ability to ensure appropriate verification before/procedure around issuing certs or to respond truthfully. Many of these cases relied on participants' knowledge about what's reasonable and about nonobvious potential consequences (v. all the amusing ways of detrusting future certs only), so I am by default doubtful that whatever procedure eIDAS provides for is going to be less manipulatable by the CAs.\n\nIt's not only GAFAD that cares mostly about DV. If the domain owner has no legal identity that is relevant (e.g. is a person), then they don't care for anything EV-like. A small business/organisation might also not care for EV, because it's just as easy for them to make people aware of the legal name as it is to make them aware of the domain (I'm not certain about legal names of 3/4 small local businesses/organisations that I could recall on the spot, but could recall the domain names of their websites). I expect that this is mostly beneficial for companies of the size of Ford or Migros, but for such companies the problem of international name near-collisions starts to appear (because the user is unlikely to reliably remember what country the company should be from).\n\nAlso, DV if important insofar it's trusted by browsers. Cookies, local storage, meaning of \"same origin\" are all bound to domains, not subtrees of organisation space. This make me consider DV as important for anyone who actually has users' private data and serves it back to them.",
"sig": "e172fb7e1cee214b09a6e8447121c782c54795e477ce36451a8b4b75b1ca4d98db384599656e805b27e38986dadd5b16f009303d4f5c0d1628a82e811f44cbc6"
}