Re: Massive change in Public Cert behaviour coming soon

["John R. Levine via NANOG" <nanog () lists nanog org>]

On Fri, 23 May 2025, Eliot Lear wrote:
> It's not that hypothetical.  I bring to your attention draft-halen-fedae 
> <https://datatracker.ietf.org/doc/draft-halen-fedae/>, which has been 
> deployed in Sweden to create trust within a federation of private CAs.  But 
> it's not sufficient for non-federated or non-prearranged use cases.  This 
> draft focuses on m2m, and specifically excludes web-based transaction, 
> because the security analysis required for browser interactions is a hard 
> problem.

I'm having trouble coming up with plausible scenarios where the only thing 
you know about a client is that some CA said their domain is OK.

Federated private CAs implement business relationships among the 
organizatiosns.  Some random person saying "hi, I am foo.bar.com" provides 
what?  I don't get it.

I suppose there's the model PHB proposed, where it's sort of a mutant 
OpenID, but domains don't seem like the right level of granularity. 
Also, after two decades, OpenID hasn't exactly been a stunning success.

Regards,
John Levine, johnl () taugh com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PVWGVJMKS2I4VBHUITB7BVSRCCDS3M6L/