Open bob-beck opened 4 months ago
I have stated your intent to deliver a particular feature. I have stated that the risks described in this section are simply a particular type of actor exploiting this feature. I have not implied anything about the motivations behind your intent and I do not understand how you can read it that way.
Nor have I claimed that this feature has no legitimate uses, I have stated only that this is a feature which governments are the most likely type of actor to abuse - which is well evidenced in the document.
If you want to make a concrete suggestion for improvement with altering the meaning of the sentence, please feel free to. However, this kind of flagrant misrepresentation of what I wrote does no one any favors. This is my current attempt to make this even clearer:
One of the (unstated, and perhaps we should state it clearer) goals of trust expressions is to allow for new root programs to be created.
Although I believe this is entirely unintentional on the part of the authors, the issues described in this section are direct consequences of this goal / feature. Governments are one type of actor who might wish to establish a new root program and one of the most likely to do so for malicious reasons. The impacts described in this section are effectively explanations of how the core features intentionally introduced by Trust Expressions and Trusts Anchors are unfortunately (and unintentionally) open to abuse.
I think you've missed some important context here. The ability to create new root programs exists today. Chrome, for example, went from using the OS's root store (with some overlays) to running its own, so that it could better improve security for its users.
Trust expressions works by introducing a new, moderately heavy coordination between root programs and CAs. The results of that coordination are then cached at subscribers in the form of the selection metadata.
Given that dynamic, we considered it important to reason through how this pre-existing flow of introducing a new root program would work. It would be undesirable to regress this pre-existing flow. Other products may, in the future, decide that it is beneficial to user security to start their own program, and we did not want to interfere with that. Thus the comment.
(This, of course, does not apply to trust anchor identifiers, which trivially has no impact to this pre-existing capability.)
To present this as an intent to introduce a new capability is completely the opposite of what the authors are saying.
It is trivial to create new programs that overlap with existing ones. It is hard to create divergent ones - precisely due to the server's 'one certificate fits all' constraint. CAs that can be used on the WebPKI exist at the intersection of all major programs because of this constraint. Removing it allows for divergence.
Is it an (unstated) goal of Trust Expression's (and Trust Anchors) to make it easier to create new root programs? This is what Bob wrote.
Please read what was said (both in the drafts and in the history of the discussion) before responding.
"easier" was not the word I used, and your implication of this is the core of why I objected to this.
Is it the intent of Trust Expressions / Trust Anchors to make it easier, harder or no difference to the establishment of new root programs?
Do you think the design of Trust Expressions / Trust Anchors makes it easier, harder or no difference to the establishment of new root programs?
Since you're quoting me here, I feel compelled to ask you to correct this. This is now the second time you have quoted my words in a response, and the second time you have implied that the intention here is to create a solution that could only benefit players in this space that would be governments. This is not true.
The intention of the draft authors, including myself, is to ensure that any solution to Trust Anchor Agility allows new root programs to be created. Just as Chrome and Mozilla have decided to run a root program, any other browser, OS, or person with a reason to do so should be able to run a root program. The ability to decide on trust and run a root program for a set of TLS clients should not be restricted to a small set of browsers.
The sensationalist jump in reasoning that the only new root program could be governments appears to me to be a disingenuous effort to imply that there are no legitimate reasons anyone might want to run their own root program to curate a set of trust anchors that are appropriate for their use cases.
I stand by my words here, There have already been new root programs created over the life of the Web PKI. I believe that new ones should be able to come into existence.