This is also interesting regarding to how we treat animals. If a man can live like a normal human using just 10% of his brain, then it may be possible that an animal with a small brain may be much smarter than we thought, because it uses its brain more efficient. It may actually speak and think and whatnot, but we are not recognizing it. In other words, it may not be dumber, but just different. And then the fact that we kill or enslave it it is of course an ethical issue (it is anyway).
Seeing how smart some birds are, it's no wonder they have a higher neuronal density than mammal brains. They can pack more neurons thanks to their higher energy efficiency, IIRC.
> The current CA ecosystem is *heavily* driven by web browser vendors (i.e. Google, Apple, Microsoft and Mozilla), and they are increasingly hostile towards non-browser applications using certificates from CAs that they say only provide certificates for consumption by web browsers.
Let's translate and simplify:
> The current CA ecosystem is Google. They want that only Google-applications get certificates from CAs.
> The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying‐party software applications.
IMHO "other relying-party software applications" can include XMPP servers (also perhaps SMTP, IMAP, FTPS, NNTP, etc).
If Google/Chrome doesn't want to allow it, good for them. But why do they get to dictate what others do?
For decades there have been a few entities interested in actually providing a working and trustworthy PKI for the Internet - it's called the Web PKI because in practice the only interested parties are always browser vendors.
There are always plenty of people who aren't interested in doing any hard work themselves but are along for the ride, and periodically some of those people are very angry because a system they expended no effort to maintain hasn't focused on their needs.
The Web PKI wasn't somehow blessed by God, people made this. If you do the hard work you can make your own PKI, with your own rules. If you aren't interested in doing that work, you get whatever the people who did the work wanted. This ought to be a familiar concept.
Huh? Google does not even make a web server, or any kind of major servers, unless you count GCP load balancers or whatever. You are confusing their control of the client (which is still significantly shared with Apple and Microsoft since they control OS-level certificate trusts) with the server side, who are the "customers" of the CA. Google has almost no involvement in that and couldn't care less what kind of code is requesting and using certificates.
Huh bis? Aren't people using Google browser mostly to use Google services hosted on Google servers? Haven't you heard of Google the search engine, Google maps, YouTube, Gmail, Google docs, etc?
But this is about SSL certificates. Google may account for say half of web traffic, but there are billions of other servers that account for the other half, and it has absolutely no care what web server or ACME client they are running or much else. It is concerned about the client experience and how it trusts certificates.
Google already has its own CA that is used for its own systems as well as to issue certificates for GCP customers. They don't interact with Lets Encrypt or any other external CA as far as I know for their own services.
No. HTTPS certificates are being abused for non-https purposes. CAs want to sell certificates for everything under the sun, and want to force those in the ecosystem to support their business, even though https certificates are not designed to be used for other things (mail servers for example).
If CAs don't want hostility from browser companies for using https certificate for non-http/browser applications, they should build their own thing.
They weren't "HTTPS certificates" originally, just certificates. They may be "HTTPS certificates" today if you listen to some people. However there was never a line drawn where one day they weren't "HTTPS certificates" and the next day they were. The ecosystem was just gradually pushed in that direction because of the dominance of the browser vendors and the popularity of the web.
I put "HTTPS certificates" in quotes in this comment because it is not a technical term defined anywhere, just a concept that "these certificates should only be used for HTTPS". The core specifications talk about "TLS servers" and "TLS clients".
This is technically true, and nobody contested the CABF's focus on HTTPS TLS.
However, eventually, the CABF started imposing restrictions on the public CA operators regarding the issuance of non-HTTPS certificates. Nominally, the CAs are still offering "TLS certificates", but due to the pressure from the CABF, the allowed certificates are getting more and more limited, with the removal of SRVname a few years ago, and the removal of clientAuth that this thread is about.
I can understand the CABF position of "just make your own PKI" to a degree, but in practice that would require a LetsEncrypt level of effort for something that is already perfectly provided by LetsEncrypt, if it wouldn't be for the CABF lobbying.
> CABF started imposing restrictions on the public CA operators regarding the issuance of non-HTTPS certificates.
The restriction is on signing non web certificates with the same root/intermediate as is part of the WebPKI.
There's no rule (that I'm aware of?) that says the CAs can't have different signing roots for whatever use-case that are then trusted by people who need that use case.
> The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying‐party software applications.
IMHO "other relying-party software applications" can include XMPP servers (also perhaps SMTP, IMAP, FTPS, NNTP, etc).
It is a single member of the CAB that is insisting on changing the MAY to a MUST NOT for clientAuth. Why does that single member, Google-Chrome, get to dictate this?
Has Mozilla insisted on changing the meaning of §1.3 to basically remove "other relying‐party software applications"? Apple-Safari? Or any other of the "Certificate Consumers":
The membership of CAB collectively agree to the requirements/restrictions they places on themselves, and those requirements (a) state both browser and non-browser use cases, and (b) explicitly allow clientAuth usage as a MAY; see §7.1.2.10.6, §7.1.2.7.10:
> CAs want to sell certificates for everything under the sun
A serious problem with traditional CAs, which was partly solved by Let's Encrypt just giving them away. Everyone gradually realized that the "tying to real identity" function was both very expensive and of little value, compared to what people actually want which is "encryption, with reasonable certainty that it's not MITMd suddenly".
Where did you get that idea? These certs have always been intended for any TLS connection of any application. They are also in no way specific or "designed for" HTTPS. Neither the industry body formed from the CAs and software vendors, nor the big CAs themselves are against non-HTTPS use.
> Welcome to the CA/Browser Forum
>
> The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).
> Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
>
> Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
PKI certificates weren't even intended for SSL, it predates even that.
X.509 was published in November 25, 1988 ; version 3 added support for "the web" as it was known at the time. One obvious use was for X.400 e-mail systems in the 1980s. Novell Netware adopted x.509.
It was originally intended to use with X.511 "Directory Access Protocol", which LDAP was based on. You can still find X.500 heritage in Microsft Exchange and Active Directory, although it's getting less over time and e.g. EntraID only has some affordances for backward compatibility.
I support this for the same reason I want scripted reality TV shows to be labeled as such. Anything that claims to be reality but isn't should be clearly marked as such, unless it's obvious from the context.
I actually don't even care too much if they try to detect, that I am the X from last time.
The issue is them selling the data, or using it in unrelated locations, or trying to detect me as a person. And their programmers are not enforced and rewarded when they report such behavior to law agencies / the public. And the law is not punishing it.
Yes, especially as the company could just implement a button "Delete your data" on their website. An automated task initiated by the user. No work for them.
Companies could also make clear before any registration, on one page, which data they will ask for and later collect. If they were honest. Then the user had a chance to opt out _before_ they have given any data to them.
Well, they are not honest, because what do they do instead? Page 1: "Please, your E-Mail". Page 2: "We also need your phone number (we may call you)". Page 3: "Great, nearly done. Now please, your address, your credit card, a fingerprint copy and a picture of your penis".
I am in favor of appending a zero to those 5.000 Euros.
I think the point of introducing the (...) syntax that for some reason this article apparently denigrates (if I even understand it correctly) is to eventually deprecate that.
Disagree. It is good for users of all operating systems, if Linux becomes so usable that it threatens Windows. Then Windows has to improve and we have a race to the top.
I disagree with "usability" being one dimension. I disagree with assuming that Windows is the definition of "most usable" and "Linux should move towards Windows to get more usable".
Linux is different. It's great to learn something different. I don't use Linux because I don't want to pay for Windows. I use Linux because I like how Linux is.
The more Windows people join Linux and try to make it look like Windows, the more Linux starts looking like the platform I left 15 years ago.
You are making a philosophy out of it, but I claim that usability is not a philosophy but an objective value. The more usable a tool is, without losing anything else, the higher it's value.
> I claim that usability is not a philosophy but an objective value
Counter-example: many times, what I find more usable is what others find less usable. Unless I'm objectively stupid, usability is subjective.
I hate it when people tell me "Linux should look more like Windows, because Windows is more usable. And if you don't find that Windows is more usable, then you're objectively wrong".
> Counter-example: many times, what I find more usable is what others find less usable. Unless I'm objectively stupid, usability is subjective.
Hard to argue with you about that, unless you get more concrete. Can you give an example for something you find more usable which others find less usable (than what?)?
Your taste is not different regarding usability but regarding tools. Usability just means making that what you use as usable as possible:
* Window managers are wisely preconfigured and the user can one-click-switch between them, like between Plugins.
* Key bindings are configurable for everything (which probable is already the case)
* There is a CLI <-> GUI standard. Same for config files <-> settings panels, etc. The UCI standard for chess engines comes to mind.
* Installing from source is integrated. Every source code directory can be right-clicked: "compile". Every binary can be right-clicked: "modify". And that works out of the box, no programming skills required unless one wants to make changes. One can click on code locations: "Explain".
Some more things come to my mind:
* A "freeze" button which freezes the current state of my system bit by bit. There is a possibility to backup that to the internet for a monthly fee. No credit card required.
* Every button bar can be configured, every list of something can be filter-as-you-typed. Every right-click Menu can be configured.
* Linux has a global namespace/function/type library, accessible via a browser and also directly from within Linux. You dont have to read any doc except that of the used namespace/function/type. it creates binaries which follow the above standard.
* There is an AI window where I can ask questions about my system. It has a well-done local default AI but there is an option to buy tokens from popular "Language Models". No tech speak. No credit card required.
This is what I mean with "become so usable that you threaten windows".
Oh, I get it now. I guess I agree with that, then. Though before you reach "perfect, ideal usability", I feel like it's still subjective. Linux is currently more usable to me than Windows or macOS.
Also I think we could debate on the "footguns" idea. Many people will say "we should not allow the user to do that because it is a footgun" for many things that I barely consider "advanced usage" and that I actually want. Does making it simpler at the cost of removing possibilities count as making it more usable, or less?
Right you are. Making it "simpler" at the cost of removing possibilities is not usability. That is dictatorship disguising itself as a service to the alleged "uneducated user". The Gnome people do / have done that, the result is an operating system which is nearly unusable. Usability is not some developer deciding which tools to have and which tools not to have, usability is allowing the users to choose but give pleasant defaults, so that the user can also choose not to choose.
reply