Why Nostr? What is Njump?
2023-11-11 16:35:40
in reply to

kravietz 🦇 on Nostr: npub162ytz…540e7 Part of my frustration about Mozilla’s #eIDAS campaign is that ...



Part of my frustration about Mozilla’s #eIDAS campaign is that this the first time in the last weeks that I’m actually having a fact-based discussion with someone on this topic. All discussions that preceded your pot were essentially people shouting “EU JUST WANTS TO MITM US” while I explained it doesn’t and they ended up with “oh but we still trust Mozilla”.

They key thing to understand is that the EU QC is not anything new, quite the opposite - it was introduced when SSLv2 was still a thing and web browsers had bugs like not checking X.509 critical constraints.

The level of technical and organisational maturity of QC standards is therefore much higher than WebTrust, but few people do realise that because QC has been little known outside of EU and inside EU it’s usually hidden in the backend of tax, pensions, e-voting or e-government systems. People use it, while not even realising they use QC.

As for the actual subject - yes, presentation of the certificate validation status was a huge topic in QC regulation since 2000’s. Web browsers obscure this layer because historically the level validation of WebTrust/CABForum was degrading rather than increasing due to two key factors:

TLS certs are being sold on the same for-profit basis as say potatoes and a phishing campaign is just as good customer as a legitimate e-commerce website
its customer base is the whole world and getting legal & organisational validation globally is extremely challenging due to the variety of legal systems

As result, a company that offered more scrutiny in EV issuance process naturally had less clients than one that just issued based them on an “attestation letter”. Welcome to the Gresham’s law 😉

As result, on the market where DV certificates issued to microsoft.com and mircosoft.com offer essentially the same level of legal and organisational validation, presentation of the company name is indeed irrelevant. Another cause was pure marketing: if people saw the actual, fully validated company names and their legal location on all the cryptocurrency ICO, NFT and other one-day “investment opportunities”, they would probably think twice about. That would be bad for business, including web hosting business and advertising business.

And this is why web users were indeed conditioned into accepting weird organisation names, and why the whole certification validation layer was historically reduced to a lock symbol, which is the lowest common denominator of all business models that the GAFAM industry is interested in.

The EU QC has however a completely different user base: it offers a very high assurance for both organisations and individuals, where you are given a legal equivalence of electronic and written signature. There’s no problem with properly presenting such certificates in web browser UI - the problem with EVs that were a commercial ersatz for QC was precisely that they were an ersatz that did not work because it didn’t make any sense if you could get a valid EV for a company registered in Sudan and it was presented in the same was as an US or EU registered company.

Author Public Key
npub1vz555w0w7pdy3l9skg202lkdnjqll4ct67l25f68x2h84e7u7r4qmrqdta