nanog mailing list archives
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
From: Carsten Bormann <cabo () tzi org>
Date: Sun, 13 Mar 2022 13:37:59 +0100
On 2022-03-13, at 01:33, Sean Donelan <sean () donelan com> wrote:
Its not a question of whether you trust one CA (e.g. the Russian Ministry of Digital Development CA), but whether everyone trusts all 100+ CA's in universal trust stores to sign everything/anything.
Right. Authorization is not a binary thing. You don’t divide your world into the two classes “authorized” and “unauthorized”; you authorize for specific permissions. Your house cleaners may get access to your home, but not to your bank account. (I hear whispering: “Authorization? I thought we were talking about authentication.”. Yes. But we authenticate to authorize, and while we are doing this, we authorize (“trust”) to authenticate. We need to qualify this “trust” with what the resulting authorization can do.)
Again, I understand why companies and open source projects don't want to maintain different trust lists for different jurisdictions around the world. Like other localization requirements (currency, date & time formats, languages) maybe its time has come for localization requirements for TLS/SSL trust lists?
Oh. Your message started insightful. Now you are back to binary authorization, just with a jurisdiction parameter going in. Grüße, Carsten
Current thread:
- Russia attempts mandating installation of root CA on clients for TLS MITM Eric Kuhnke (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Jay R. Ashworth (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM William Herrin (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Dario Ciccarone (dciccaro) via NANOG (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 12)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Carsten Bormann (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 17)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Masataka Ohta (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Miles Fidelman (Mar 13)