Ah Python, you have spoiled me for all other languages

Steven D'Aprano steve at pearwood.info
Sun May 24 06:26:18 EDT 2015 

On Sun, 24 May 2015 02:53 am, Marko Rauhamaa wrote:

> Steven D'Aprano <steve at pearwood.info>:
> 
>> On Sat, 23 May 2015 10:44 pm, Marko Rauhamaa wrote:
>>> Here's an idea: an authentication is considered valid if it is
>>> vouched for by the United States, China, Russia *and* the European
>>> Union. Those governments are the only entities that would have the
>>> right to delegate their respective certification powers to private
>>> entities.
>>
>> An interesting mix of:
>>
>> - one explicitly non-democratic one-party state;
>> - one nominally democratic but de facto autocratic state;
>> - one nominally democratic but de facto two-party corporatocracy;
>> - one supranational union of states;
> 
> Yes, the same principles that make UN do a lot of good in the world
> despite those shortcomings.
> 
>> If you gave them veto power over all certificate authorities (since
>> you need all four to agree, any of them can veto a CA),
> 
> No, they wouldn't be able to veto a CA. At worst, they would be able to
> refuse you a certificate. If they did that, they would risk being
> dropped from the power pool.

That's not what you said. You said, and I quote:

"an authentication is considered valid if it is vouched for by the United
States, China, Russia *and* the European Union."

[Emphasis in the original.]

So if (let's say) the US, China and Russia all agree that a Certs-R-Us are a
legitimate CA, but the EU disagrees for some reason. Then certificates
issued by Certs-R-Us will *not* be accepted as valid. Hence the EU has veto
power over CAs, and by extension, certificates. And likewise any of the
others: it only takes one refusal for the certificate to be invalid.

If the certificate is *not* invalidated, then people can trust certificates
regardless of whether they are vouched for by all four states (counting the
EU as a state for simplicity) or not. If I can choose to trust Certs-R-Us
despite the failure of the EU to vouch for them, then I can equally trust
*any* CA, whether they are vouched for by all four states or by none of
them. Which brings us right back to the present system.

(And by the way, I'd be more inclined to trust a CA that was vouched for by,
say, the Norwegian government than one vouched for by the Russian
government.)

And what's this "dropped from the power pool" business? You never mentioned
a mechanism for removing a state from the privileged group. Who has
authority to do that?

If it's too hard to change the four-state solution ("What, we have to
completely redesign the entire Internet, again?") then they will never be
removed no matter how they abuse their privilege. If it is too easy ("just
edit /etc/ca-approvals"), then we'll have chaos where nobody agrees on who
can authorise CAs. Somewhere in the middle there's a point where the four
states will never refuse a CA, no matter how dodgy, lest they get kicked
out. In which case we haven't really solved the problem we're trying to
solve, just moved it around a bit.


>>> The governments would also offer to certify anybody in the world free
>>> of charge.
>>
>> Why would they do that?
> 
> They would have something to gain and something to lose:
> 
>  1. They would gain protection for their citizens and companies against
>     foreign MitM attacks.
> 
>  2. They would lose the power to perform MitM attacks on their own
>     citizens.
> 
> Unfortunately, the governments of the world fear their own citizens more
> than each other, so they would likely not go with the kind of plan I
> presented.

Charles Stross has some interesting ideas on that. The economic and
political elites are clamping down on dissent as a preemptive
counter-revolution:

http://www.antipope.org/charlie/blog-static/2013/07/who-ordered-that.html
 
> At the moment any sovereign government and sizeable criminal outfit 

Or medium sized corporation. Oh wait, I see you already mentioned criminal
outfits.


> can cook up valid certificates for any website in the world. That's
> because each CA is trusted completely.

I'm not sure that it is much of a benefit to swap from a free-market
reputation based system to a four-party oligopoly




-- 
Steven

More information about the Python-list mailing list