Ah Python, you have spoiled me for all other languages

Marko Rauhamaa marko at pacujo.net
Sun May 24 11:26:44 EDT 2015 

Steven D'Aprano <steve at pearwood.info>:

> On Sun, 24 May 2015 02:53 am, Marko Rauhamaa wrote:
> "an authentication is considered valid if it is vouched for by the United
> States, China, Russia *and* the European Union."
>
> [Emphasis in the original.]
>
> So if (let's say) the US, China and Russia all agree that a Certs-R-Us are a
> legitimate CA,

I never proposed those countries should agree on a legitimate CA. Each
country would have their distinct, respective sets of CAs. A website
would be considered legitimate only if it possessed certificates from
all of the four domains.

> but the EU disagrees for some reason. Then certificates issued by
> Certs-R-Us will *not* be accepted as valid. Hence the EU has veto
> power over CAs, and by extension, certificates. And likewise any of
> the others: it only takes one refusal for the certificate to be
> invalid.

For the scheme to work, the countries would agree never to refuse to
certify a legitimate entity.

> (And by the way, I'd be more inclined to trust a CA that was vouched
> for by, say, the Norwegian government than one vouched for by the
> Russian government.)

You'd be asked to trust a server if it were vouched for by four CAs from
four independent power blocks. It would be in the power blocks'
interests to do their certification work properly because sloppiness
would only benefit their "adversaries."

> And what's this "dropped from the power pool" business? You never
> mentioned a mechanism for removing a state from the privileged group.
> Who has authority to do that?

A mechanism like that would have to be fleshed out in detail. There
could be many variations. But the main point is that no single
government or CA should have the means to spoof a peer.

> I'm not sure that it is much of a benefit to swap from a free-market
> reputation based system to a four-party oligopoly

The CA system is not based on reputation. Anybody in the world has an
equal right to become a root CA. You only need to convince the
OS/browser vendors:

   https://bugzilla.mozilla.org/show_bug.cgi?id=647959


The oligopoly would fail if the US, Russia, China and EU conspired
against a particular peer. Can you see that happening?


Marko

More information about the Python-list mailing list