On Fri, 23 May 2025, Eliot Lear wrote:
It's not that hypothetical. I bring to your attention draft-halen-fedae <https://datatracker.ietf.org/doc/draft-halen-fedae/>, which has been deployed in Sweden to create trust within a federation of private CAs. But it's not sufficient for non-federated or non-prearranged use cases. This draft focuses on m2m, and specifically excludes web-based transaction, because the security analysis required for browser interactions is a hard problem.
I'm having trouble coming up with plausible scenarios where the only thing you know about a client is that some CA said their domain is OK. Federated private CAs implement business relationships among the organizatiosns. Some random person saying "hi, I am foo.bar.com" provides what? I don't get it. I suppose there's the model PHB proposed, where it's sort of a mutant OpenID, but domains don't seem like the right level of granularity. Also, after two decades, OpenID hasn't exactly been a stunning success. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly