|
|
Subscribe / Log in / New account

OpenPGP for application developers

OpenPGP for application developers

Posted Dec 18, 2023 6:05 UTC (Mon) by NYKevin (subscriber, #129325)
In reply to: OpenPGP for application developers by LtWorf
Parent article: OpenPGP for application developers

> Their entire security is based on "trust me bro, I'm a business company, not some nerd".

Well, that and "If we turn out to be lying, then our whole business goes up in smoke." See for example the CA/B process (which PGP people love to dump on, but it actually has gotten a lot better at revoking bad roots in recent memory).

to post comments

OpenPGP for application developers

Posted Dec 18, 2023 6:28 UTC (Mon) by LtWorf (subscriber, #124958) [Link]

Plenty of companies remain around after such revelations.

The invisible hand doesn't exist.

OpenPGP for application developers

Posted Dec 18, 2023 16:01 UTC (Mon) by anselm (subscriber, #2796) [Link] (4 responses)

Well, that and "If we turn out to be lying, then our whole business goes up in smoke." See for example the CA/B process

Which of course the EU is currently trying to do an end-run around under the auspices of the upcoming revised eIDAS regulation, by forcing browsers to include root CA certificates from government-approved CAs that the browser makers don't get to vet.

OpenPGP for application developers

Posted Dec 18, 2023 17:03 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

Well, given that all the major browsers are Open Source, I wonder how well that's going to pan out ...

It may not be the simplest thing for most users, but if a user can modify the source of the browser, it'll be easy to delete those root certs.

Cheers,
Wol

OpenPGP for application developers

Posted Dec 19, 2023 10:39 UTC (Tue) by anselm (subscriber, #2796) [Link] (1 responses)

It may not be the simplest thing for most users, but if a user can modify the source of the browser, it'll be easy to delete those root certs.

Patching and recompiling a major browser is not for the faint of heart (or those with small(ish) PCs). I think, since the browser makers won't be able refuse the QWAC root CA certificates outright, what we may eventually see are improvements to browser trust store management UIs that will let people deselect root CA certs they don't like in a more convenient manner (including a guarantee that they won't pop up again on the next browser update). Also the fact that browsers generally do their own thing, apart from the OS, when it comes to trust store management is a problem because it is difficult to figure out all the places where you would have to go to remove those certs. It would certainly change the situation in the EU from the current “mostly works OK by default for most people” to “sucks for almost everyone” since only the very dedicated would go to the trouble of adjusting their trust store.

This is apart from the fact that there will probably be subtle (or not-so-subtle) pressure on web sites, certainly the major ones, to use QWAC certificates from the government-approved CAs, in order to make life more difficult for those people who do decide to patch out those root certificates. After all, the whole thing seems to be driven not just by a desire to make it easier for state actors to MITM people's connections, but also to generate money-making opportunities for commercial CAs whose business has mostly been killed by the likes of Let's Encrypt. After all, QWAC certificates from the government-mandated CAs are basically just like EV certificates, which go for €€€ but which nobody uses anymore because free DV certificates from Let's Encrypt are nearly as good and much easier to deal with.

OpenPGP for application developers

Posted Dec 19, 2023 20:24 UTC (Tue) by Wol (subscriber, #4433) [Link]

> Patching and recompiling a major browser is not for the faint of heart (or those with small(ish) PCs).

"emerge firefox"? :-) :-)

Cheers,
Wol

OpenPGP for application developers

Posted Dec 19, 2023 11:31 UTC (Tue) by kleptog (subscriber, #1183) [Link]

> Which of course the EU is currently trying to do an end-run around under the auspices of the upcoming revised eIDAS regulation, by forcing browsers to include root CA certificates from government-approved CAs that the browser makers don't get to vet.

The problem is we have different groups of people trying to solve the same problem of trust. Suppose some European government has a complete digital infrastructure set up for their citizens to file taxes, manage health insurance, etc for example, and then Chrome decides to revoke the root cert. Then there is a Big Problem. We are talking about an identity scheme after all, break that and everything breaks. (This is not hypothetical, remember DigiNotar.)

The CA/B and browser makers don't trust the European governments to do the right thing. And the European governments don't trust the CA/B or browser makers to do the right thing. When people here say "the EU is trying to do an end run around the CA/B" what the policy makers hear is "these people want our digital infrastructure to be beholden to foreign actors who may not have our interests at heart".

Suppose the US government started leaning on Google to revoke the CA certificate of a European government, do you really think Google would resist? Arguments like "but the US government would never do that" don't fly in this case. Sovereign states are paranoid that way.

So the typical EU approach is to write it into a regulation since then at least on paper the problem is solved. It's of course completely unenforceable. Ideally all these groups would (gasp) talk to each other and figure out a way to make everyone happy. However, my understanding is that the CA/B has pretty much a "my way or the highway" approach. Classic government vs business actually.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds