npub162ytz6y0t7fwwdh8fmj02l82d749t2854puhnuz4gcye7dt4jy8qj540e7 (npub162y…40e7)
Part of my frustration about Mozilla’s #eIDAS campaign is that this the first time in the last weeks that I’m actually having a fact-based discussion with someone on this topic. All discussions that preceded your pot were essentially people shouting “EU JUST WANTS TO MITM US” while I explained it doesn’t and they ended up with “oh but we still trust Mozilla”.
They key thing to understand is that the EU QC is not anything new, quite the opposite - it was introduced when SSLv2 was still a thing and web browsers had bugs like not checking X.509 critical constraints.
The level of technical and organisational maturity of QC standards is therefore much higher than WebTrust, but few people do realise that because QC has been little known outside of EU and inside EU it’s usually hidden in the backend of tax, pensions, e-voting or e-government systems. People use it, while not even realising they use QC.
As for the actual subject - yes, presentation of the certificate validation status was a huge topic in QC regulation since 2000’s. Web browsers obscure this layer because historically the level validation of WebTrust/CABForum was degrading rather than increasing due to two key factors:
TLS certs are being sold on the same for-profit basis as say potatoes and a phishing campaign is just as good customer as a legitimate e-commerce website
its customer base is the whole world and getting legal & organisational validation globally is extremely challenging due to the variety of legal systems
As result, a company that offered more scrutiny in EV issuance process naturally had less clients than one that just issued based them on an “attestation letter”. Welcome to the Gresham’s law 😉
As result, on the market where DV certificates issued to microsoft.com and mircosoft.com offer essentially the same level of legal and organisational validation, presentation of the company name is indeed irrelevant. Another cause was pure marketing: if people saw the actual, fully validated company names and their legal location on all the cryptocurrency ICO, NFT and other one-day “investment opportunities”, they would probably think twice about. That would be bad for business, including web hosting business and advertising business.
And this is why web users were indeed conditioned into accepting weird organisation names, and why the whole certification validation layer was historically reduced to a lock symbol, which is the lowest common denominator of all business models that the GAFAM industry is interested in.
The EU QC has however a completely different user base: it offers a very high assurance for both organisations and individuals, where you are given a legal equivalence of electronic and written signature. There’s no problem with properly presenting such certificates in web browser UI - the problem with EVs that were a commercial ersatz for QC was precisely that they were an ersatz that did not work because it didn’t make any sense if you could get a valid EV for a company registered in Sudan and it was presented in the same was as an US or EU registered company.
npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl (npub12wf…8kwl) npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 (npub199w…n803) npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq (npub1llz…08cq)
kravietz 🦇 /
npub1vz…rqdta
2023-11-11 16:35:40
in reply to nevent1q…pdt3
Author Public Key
npub1vz555w0w7pdy3l9skg202lkdnjqll4ct67l25f68x2h84e7u7r4qmrqdtaSeen on
wss://relay.noswhere.comPublished at
2023-11-11 16:35:40Event JSON
{
"id": "21c4fddc0a3d5b049fe04bdf71fa7199b01d15a1b260f75d752a2b42fcd239b5",
"pubkey": "60a94a39eef05a48fcb0b214f57ecd9c81ffd70bd7beaa274732ae7ae7dcf0ea",
"created_at": 1699720540,
"kind": 1,
"tags": [
[
"p",
"d288b1688f5f92e736e74ee4f57cea6faa55a8f4a87979f05546099f3575910e",
"wss://relay.mostr.pub"
],
[
"p",
"5392447a7f90cf7553a163f0a4b00d57e8dc6da4de0ad89bc2691465884be920",
"wss://relay.mostr.pub"
],
[
"p",
"295d8721966e7ce9f14aec3a507d1e70bf2aa53a84416db21b45929ee42aacee",
"wss://relay.mostr.pub"
],
[
"p",
"ffc460e3588b8aabe05ca95b036120b068bf9534cc5fc18d09530eb04f9e0d91",
"wss://relay.mostr.pub"
],
[
"p",
"66bc8dcfc9ab3e88a703b1f81885e71db60074db73ef98dd2549eef2c8798c54",
"wss://relay.mostr.pub"
],
[
"p",
"3ef68672b5a78c720e038b657bcd213f2e1a41d2d272dd48836c701e3d8e4e13",
"wss://relay.mostr.pub"
],
[
"p",
"16c19e6e50f04807261ee4ea3c3410f6ffd65cbb122e2d7e150c1b4ad98439be",
"wss://relay.mostr.pub"
],
[
"p",
"ff941f32190d7b997560f178c1c4c705b6668a40473a057474ba590ebd85744f",
"wss://relay.mostr.pub"
],
[
"e",
"26a5517f4dd6b189c5f8ecba735b88a265a6499e62f35defba81a7b5f383a84a",
"wss://relay.mostr.pub",
"reply"
],
[
"t",
"eidas"
],
[
"proxy",
"https://agora.echelon.pl/objects/28b3f53d-1f47-49bf-95f6-9187a1cd3e53",
"activitypub"
]
],
"content": "nostr:npub162ytz6y0t7fwwdh8fmj02l82d749t2854puhnuz4gcye7dt4jy8qj540e7 \n\nPart of my frustration about Mozilla’s #eIDAS campaign is that this the first time in the last weeks that I’m actually having a fact-based discussion with someone on this topic. All discussions that preceded your pot were essentially people shouting “EU JUST WANTS TO MITM US” while I explained it doesn’t and they ended up with “oh but we still trust Mozilla”.\n\nThey key thing to understand is that the EU QC is not anything new, quite the opposite - it was introduced when SSLv2 was still a thing and web browsers had bugs like not checking X.509 critical constraints.\n\nThe level of technical and organisational maturity of QC standards is therefore much higher than WebTrust, but few people do realise that because QC has been little known outside of EU and inside EU it’s usually hidden in the backend of tax, pensions, e-voting or e-government systems. People use it, while not even realising they use QC.\n\nAs for the actual subject - yes, presentation of the certificate validation status was a huge topic in QC regulation since 2000’s. Web browsers obscure this layer because historically the level validation of WebTrust/CABForum was degrading rather than increasing due to two key factors:\n\nTLS certs are being sold on the same for-profit basis as say potatoes and a phishing campaign is just as good customer as a legitimate e-commerce website\nits customer base is the whole world and getting legal \u0026 organisational validation globally is extremely challenging due to the variety of legal systems\n\nAs result, a company that offered more scrutiny in EV issuance process naturally had less clients than one that just issued based them on an “attestation letter”. Welcome to the Gresham’s law 😉 \n\nAs result, on the market where DV certificates issued to microsoft.com and mircosoft.com offer essentially the same level of legal and organisational validation, presentation of the company name is indeed irrelevant. Another cause was pure marketing: if people saw the actual, fully validated company names and their legal location on all the cryptocurrency ICO, NFT and other one-day “investment opportunities”, they would probably think twice about. That would be bad for business, including web hosting business and advertising business.\n\nAnd this is why web users were indeed conditioned into accepting weird organisation names, and why the whole certification validation layer was historically reduced to a lock symbol, which is the lowest common denominator of all business models that the GAFAM industry is interested in.\n\nThe EU QC has however a completely different user base: it offers a very high assurance for both organisations and individuals, where you are given a legal equivalence of electronic and written signature. There’s no problem with properly presenting such certificates in web browser UI - the problem with EVs that were a commercial ersatz for QC was precisely that they were an ersatz that did not work because it didn’t make any sense if you could get a valid EV for a company registered in Sudan and it was presented in the same was as an US or EU registered company.\n\nnostr:npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl nostr:npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 nostr:npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq",
"sig": "8f71b3f5cbb31e9ad760c749888462418b902bfa3b01e7b4328f1922b3d2eb87cd7a2510f81b2cd6f21a77e7bfb04563887e6d765740df1ac893afce9fca9c09"
}