📅 Original date posted:2012-11-26
📝 Original message:On Tuesday, November 27, 2012 12:16:07 AM Gregory Maxwell wrote:
> On Mon, Nov 26, 2012 at 6:44 PM, Luke-Jr <luke at dashjr.org> wrote:
> > On Monday, November 26, 2012 11:32:46 PM Gregory Maxwell wrote:
> >> Would you find it acceptable if something supported a static whitelist
> >> plus a OS provided list minus a user configured blacklist and the
> >> ability for sophisticated users to disable the whitelist?
> >
> > How is this whitelist any different from the list of CAs included by
> > default with every OS?
>
> Because the list is not identical (and of course, couldn't be without
> centralizing control of all OSes :P ) meaning that the software has to
> be setup in a way where false-positive authentication failures are a
> common thing (terrible for user security) or merchants have to waste a
> bunch of time, probably unsuccessfully, figuring out what certs work
> sufficiently 'everwhere' and likely end up handing over extortion
> level fees to the most well established CAs that happen to be included
> on the oldest and most obscure things.
There is a common subset of CAs which are included in all OSs.
That's the "whitelist equivalent". We or someone else could even setup a list
of these common CAs for merchants if that is needed.
The fees CAs charge for certs is a flaw in the CA model in general, I don't
see that it's important for us to solve it.
Luke-Jr [ARCHIVE] /
npub1dt…u7wrs
2023-06-07 10:40:06
in reply to nevent1q…02hu
Author Public Key
npub1dtr22xd42nv07un2xq0rmtkqkjylgsmexau0anxxafa9xmmn2ncshu7wrsPublished at
2023-06-07 10:40:06Event JSON
{
"id": "45fe245a1cc18c14d2df1f9790b7da5c6adb110761c37ae9d6d5483c7da111b9",
"pubkey": "6ac6a519b554d8ff726a301e3daec0b489f443793778feccc6ea7a536f7354f1",
"created_at": 1686134406,
"kind": 1,
"tags": [
[
"e",
"f5f2400f8aa8a7067be3d080f096fd7cbfeecdd6e589c178b85b63a9338150a5",
"",
"root"
],
[
"e",
"9ba7ca01ad9d4de2288a49c3ac403ee9cafb253731503a18155f1a0e8472f9a3",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "📅 Original date posted:2012-11-26\n📝 Original message:On Tuesday, November 27, 2012 12:16:07 AM Gregory Maxwell wrote:\n\u003e On Mon, Nov 26, 2012 at 6:44 PM, Luke-Jr \u003cluke at dashjr.org\u003e wrote:\n\u003e \u003e On Monday, November 26, 2012 11:32:46 PM Gregory Maxwell wrote:\n\u003e \u003e\u003e Would you find it acceptable if something supported a static whitelist\n\u003e \u003e\u003e plus a OS provided list minus a user configured blacklist and the\n\u003e \u003e\u003e ability for sophisticated users to disable the whitelist?\n\u003e \u003e \n\u003e \u003e How is this whitelist any different from the list of CAs included by\n\u003e \u003e default with every OS?\n\u003e \n\u003e Because the list is not identical (and of course, couldn't be without\n\u003e centralizing control of all OSes :P ) meaning that the software has to\n\u003e be setup in a way where false-positive authentication failures are a\n\u003e common thing (terrible for user security) or merchants have to waste a\n\u003e bunch of time, probably unsuccessfully, figuring out what certs work\n\u003e sufficiently 'everwhere' and likely end up handing over extortion\n\u003e level fees to the most well established CAs that happen to be included\n\u003e on the oldest and most obscure things.\n\nThere is a common subset of CAs which are included in all OSs.\nThat's the \"whitelist equivalent\". We or someone else could even setup a list \nof these common CAs for merchants if that is needed.\n\nThe fees CAs charge for certs is a flaw in the CA model in general, I don't \nsee that it's important for us to solve it.",
"sig": "d0722e415f04b26db10041264e2692f4d1a57586726da38eb1e985df9cc3fb8be95e9a7629960964fd1392ee770309aa97d1446c5ae6d44665f74ae0e7db63e8"
}