Some ways, yes, some ways no. Communism and Fascism in practice had mutual influences on one another although they would be loathe to admit it. (By Communism here, I mean Communist party rule, not the future utopia which none of these countries ever achieved.)
If you want to take a more Trotskyite view, many post-revolutionary states enter a so called "Bonapartist" phase, where militarism, ultranationalism and symbology combine to produce something which looks a lot like Fascism. Mao and Stalin were not above using ultranationalism and chauvinism to push their rule. North Korea has gone all the way with this with Juche which contains mystical, ultranationalist and even racial supremacist features.
I get why Chrome doesn't want it (it doesn't serve Chrome's interests), but that doesn't explain why Let's Encrypt had to remove it. The reason seems to be "you can't be a Chrome CA and not do exactly what Chrome wants, which is... only things Chrome wants to do". In other words, CAs have been entirely captured by Chrome. They're Chrome Authorities.
Am I the only person that thinks this is insane? All web security is now at the whims of Google?
All major root store programs (Chrome, Apple, Microsoft, Mozilla) have this power. They set the requirements that CAs must follow to be included in their root store, and for most CAs their certs would be useless if they aren't included in all major ones.
I don't think the root programs take these kind of decisions lightly and I don't see any selfish motives they could have. They need to find a balance between not overcomplicating things for site operators and CAs (they must stay reliable) while also keeping end users secure.
A lot of CAs and site operators would love if nothing ever changed: don't disallow insecure signature/hash algorithms, 5+ year valid certs, renewals done manually, no CT, no MPIC, etc. So someone else needs to push for these improvements.
The changes the root programs push for aren't unreasonable, so I'm not really concerned about the power they have over CAs.
That doesn't mean the changes aren't painful in the short term. For example, the move to 45 day certificates is going to cause some downtime, but of course the root programs/browsers don't benefit from that. They're still doing this because they believe that in the long term it's going to make WebPKI more robust.
There's also the CA/Browser Forum where rule changes are discussed and voted on. I'm not sure how root programs decide on what to make part of their root policy vs. what to try to get voted into the baseline requirements. Perhaps in this case Chrome felt that too many CAs would vote against for self-interested reasons, but that's speculation.
The "client cert" requirements were specifically not a CABF rule because that would rule it out for everyone complying with those rules, which is much broader than just the CAs included in Chrome.
Some CAs will continue to run PKIs which support client certs, for use outside of Chrome.
In general, the "baseline requirements" are intended to be just that: A shared baseline that is met by everyone. All the major root programs today have requirements which are unique to their program.
Thanks for chiming in! I remember now that you also said this on the LE community forum.
Right, that explains it. So the use would be for things other than websites or for websites that don't need to support Chrome (and also need clientAuth)?
I guess I find it hard to wrap my head around this because I don't have experience with any applications where this plus a publicly trusted certificate makes sense. But I suppose they must exist, otherwise there would've been an effort to vote it into the BRs.
If you or someone else here knows more about these use cases, then I'd like to hear about it to better understand this.
Are you asking why an HTTPS server would need to use client auth outside of the browser? The answer is mTLS. If you want to use one cert for your one domain to serve both "normal" browser content and HTTPS APIs with mTLS, your cert needs to be able to do it all.
The server that wants to authenticate clients via mTLS doesn't need the clientAuth EKU on its certificate, only the clients do.
Most of the time you set up mTLS by creating your own self-signed certificate and verifying that the client has that cert (or one that chains up to it). I'm wondering what systems exist that need a publicly trusted cert with clientAuth.
Only think I've heard of so far is XMPP for server-to-server auth, but there are alternative auth methods it supports.
One reason is that the client certificate with id-kp-clientAuth EKU and a dNSName SAN doesn't actually authenticate the client's FQDN. To do that you'd have to do something of a return routability check at the app layer where the server connects to the client by resolving its FQDN to check that it's the same client as on the other connection. I'm not sure how seriously to take that complaint, but it's something.
there's a cool background to Dali's Temptation of St. Anthony.
In 1946, 11 surrealist painters were asked to submit a painting to be used in a film (Albert Lewin's "The Private Affairs of Bel Ami"). Among the contestants were Max Ernst (who won), Leonora Carrington, Dalì, Stanley Spencer, Dorothea Tanning. Among the judges was Marcel Duchamp. The painting is then shown in color - the only color scene in an otherwise black and white movie.
I think the reason why they specifically wanted the temptation of Saint Anthony had to do with censorship, but sadly I can't remember the details
Of course they are. Had to block anything at work coming from one certain company because it wasn't respecting robots.txt and the bill was just getting silly.
Why wouldn't it work? The oligarchs would certainly be a bit upset if they lost their yachts, mansions, sports teams, and everywhere else they keep their wealth away from Putin.
That had a lot to do with De Beers blacklisting any buyers of used diamonds, so used stones would end up their only supply. Meanwhile running "Diamonds are Forever" campaigns that would paint any such recycling as the actions of sleazy dishonest pawn brokers. You wouldn't sell Grandma's precious heirloom to one of those people now, would you? Nowadays I'm not sure the cartels have the power they used to, but whatever's left does still seem pretty disproportionate.
reply