nanog mailing list archives
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
From: Sean Donelan <sean () donelan com>
Date: Thu, 17 Mar 2022 15:38:59 -0400 (EDT)
On Sun, 13 Mar 2022, Carsten Bormann wrote:
Oh. Your message started insightful. Now you are back to binary authorization, just with a jurisdiction parameter going in.
Public CAs are third-party introducers. Its like a friend of a friend of a friend sets you up on a blind date. Your friend's friend's friend may mean well, but your shouldn't rely on them for authentication or authorization of the trustworthiness of the person on the date.
Just read the disclaimers of liability in every public CA statement of practices. The CAs 'customer' is the purchaser of the certificate, not an end-user.
Private CAs are a different matter. Sometimes (frequently) people confuse their relationships between public CAs versus private CAs. Admitly public CA marketing departments encourage that confusion. The legal folks call it "puffery."
Netscape's original engineering goal was convincing the public it was safe to use credit cards for ecommerce sites on the mid-1990s Internet. If you saw a padlock icon it was "safe" to enter your credicate number. Of course, people immediately started putting padlock icons on web pages :-(
Authentication/authorization about an end-user's relationship with a public CA is mostly mumbo-jumbo. The public also gets confused by the role of notary publics, bearer instruments, cashiers cheques, pen-and-paper signatures, and old fashion wax seals. Con artists have taken advantage of that misplaced trust for hundreds of years.
Current thread:
- Russia attempts mandating installation of root CA on clients for TLS MITM Eric Kuhnke (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Jay R. Ashworth (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM William Herrin (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Dario Ciccarone (dciccaro) via NANOG (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 12)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Carsten Bormann (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 17)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Masataka Ohta (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Miles Fidelman (Mar 13)