|
Raymond T. Racing posted:wait, is the implication here that they don't actually agree with the consensus (on the 5 day max revoke time), but didn't give enough of a poo poo to argue it?
|
# ? Apr 26, 2024 20:57 |
|
|
# ? May 7, 2024 08:11 |
|
skipped 600 posts, was that all about entrust still? lol
|
# ? Apr 26, 2024 20:58 |
|
Raymond T. Racing posted:wait, is the implication here that they don't actually agree with the consensus (on the 5 day max revoke time), but didn't give enough of a poo poo to argue it? i think they just don't want to commit to either agreeing with the rule or disagreeing with the rule, since both would look pretty bad for them pretty sure they just mean "we didn't really give a poo poo about it either way at the time", but they don't want to just come out and say that directly
|
# ? Apr 26, 2024 21:08 |
|
well-read undead posted:skipped 600 posts, was that all about entrust still? lol tl;dr amir made an account
|
# ? Apr 26, 2024 21:21 |
|
go get em amir https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c18 quote:Well this sounds like you have a reason to be against it now. I would like to note that, even if you disagree with this rule now - that rule is still in effect here and you are in violation of it.
|
# ? Apr 26, 2024 21:37 |
|
Wiggly Wayne DDS posted:wtf are entrust doing it looks to me like they're betting that they can just bullshit their way through this and eventually it'll go away from my perspective they are blatantly not engaging in good faith. i get not wanting to act hastily, hell i've been guilty of dragging my feet on something like that myself, but at this point the very fact that they've led everyone around in circles for so long in and of itself should be sufficient reason to distrust them edit: lol i was too slow to post, looks like amir's really had it
|
# ? Apr 26, 2024 21:40 |
|
Main Paineframe posted:pretty sure they just mean "we didn't really give a poo poo about it either way at the time and thought opposing it would look bad but ultimately we're gonna do whatever the gently caress we want anyway" Raymond T. Racing posted:go get em amir
|
# ? Apr 26, 2024 21:45 |
|
|
# ? Apr 26, 2024 21:46 |
|
Goddamn, Entrust's behaviour is rage inducing. I have to work around people sandbagging at work sometimes, but I've never had to deal with an entire institution just loving around in obvious bad faith.
|
# ? Apr 26, 2024 21:49 |
|
now I’m a moron, but I think at this point they’re at the “we know what the BRs are, we just don’t care” phase which seems not ideal.
|
# ? Apr 26, 2024 21:58 |
|
yeah, that was the point I made in my big comment: this cannot be an education gap, given their statements on the topic in the past. it’s a motivation or capability gap, which will be much harder to resolve
|
# ? Apr 26, 2024 22:36 |
|
at what point does GTS or Mozilla root trust look at this and go “hmm I think we need to reconsider”?
|
# ? Apr 26, 2024 22:40 |
|
a very very timely question
|
# ? Apr 26, 2024 23:02 |
|
Subjunctive posted:a very very timely question do you know something we don't
|
# ? Apr 26, 2024 23:03 |
|
Raymond T. Racing posted:do you know something we don't
|
# ? Apr 26, 2024 23:04 |
|
Raymond T. Racing posted:do you know something we don't my bitkeeper master password, I hope but no, not on this topic. I’m trying to find out, though
|
# ? Apr 26, 2024 23:15 |
|
Raymond T. Racing posted:at what point does GTS or Mozilla root trust look at this and go “hmm I think we need to reconsider”? gonna be pedantic here, not to pick on you but to highlight something I think is interesting about the politics of the web pki you say “GTS” but Google trust services is not the issue. the Google chrome root program is the entity that might distrust Entrust. you might say “cmon dude they all are at Google it’s the same poo poo isn’t it?” and that’s exactly what’s interesting here: isn’t it a big honking conflict of interest for one company to run both a CA and a root program? — not just that but THE most powerful root program that de facto runs trust on the web the answer is yes, yes it is. now Googlers will tell you that while GTS and Chrome enjoy a good working relationship, there do exist meaningful firewalls between them such that there isn’t a conflict of interest here. or, uh, 😅 an antitrust concern. and if we soberly look at the actual history of involvement of GTS and Chrome employees in the web PKI, we observe that they do broadly act transparently and honestly in what appear to be the best interests of the web and the safety of its users. even where they misstep (unilateral imposition of CT) it’s obvious that the motivation was safety of humans on the web. seriously, major props to all the cats and Ryans at Google who have judiciously walked the tightrope of raising the bar on web safety while serving their masters at Google enough to keep getting paid. but stilll. it’s hosed that it works this way. it’s hosed that the web pki is basically modeled on the UN Security Council. it’s hosed that Google gets to not just call all the shots with 0 accountability (except for ~ market forces ~ someday reducing Chrome’s share of the browser userbase) but also be a player in the market that they de facto regulate. this thread has been edging for days on the sense of POWER it’s enjoying from the perception of being part of a posse bringing entrust to justice. and that rocks, I love to see people getting invested in collective governance of critical infrastructure. just, I dunno, keep working on your analysis of the power structures and dynamics at play here.
|
# ? Apr 27, 2024 00:49 |
|
excellent
|
# ? Apr 27, 2024 00:53 |
|
This might be helpful, but technically because of this, GTS doesn’t get a vote in the CAB forum. Also, there should be some attention on Apple and Microsoft here too. Apple has been somewhat active, but Microsoft is just crickets. Both of these entities also operate a root program. Their lack of participation is something I plan to write about in the future.
|
# ? Apr 27, 2024 00:55 |
|
while you’re at it, consider arguing that Apple and edge start running CT logs
|
# ? Apr 27, 2024 00:57 |
|
point is I hunger for more drama and the only drama left is entrust in a ditch
|
# ? Apr 27, 2024 01:07 |
|
regardless of everything else, the implicit (nearly explicit) admission that they don’t care about the rules seems to be worth distrusting because they have all but said you can’t trust us to follow the rules because we don’t want to follow the rules
|
# ? Apr 27, 2024 01:17 |
|
Captain Foo posted:regardless of everything else, the implicit (nearly explicit) admission that they don’t care about the rules seems to be worth distrusting because they have all but said you can’t trust us to follow the rules because we don’t want to follow the rules "what are you going to do, distrust us?" — quote from entrust
|
# ? Apr 27, 2024 01:22 |
|
Raymond T. Racing posted:point is I hunger for more drama and the only drama left is entrust in a ditch [thread spectators chanting] blood! blood! blood!
|
# ? Apr 27, 2024 01:24 |
|
redleader posted:[thread spectators chanting] blood! blood! blood! Come now, they're a digital organization. They're not made of blood. [chanting] bits! bits! bits!
|
# ? Apr 27, 2024 01:46 |
|
I'll be damned before I start trying to figure out what they consider worthy of revoking and make statistics about it, but I'm actually interested in what those numbers would look like.
|
# ? Apr 27, 2024 02:02 |
|
aaomidi posted:This might be helpful, but technically because of this, GTS doesn’t get a vote in the CAB forum. MSFT used to be active (enough to force EVERYONE to, roughly), I wonder what happened
|
# ? Apr 27, 2024 03:15 |
|
this is all pretty funny because i have nothing to do with it. well not pretty funny. slightly amusing. mostly just tiresome if i did have anything to do with it i would probably politely but firmly ask people to shut the gently caress up, give the leadership a chance to work out a response, and stop coordinating on offsites to ramp up the stakes for drama cred but this is web governance so that’s presumably off the table
|
# ? Apr 27, 2024 04:32 |
|
why are you a stick in the mud
|
# ? Apr 27, 2024 04:34 |
|
rjmccall posted:stop coordinating on offsites to ramp up the stakes for drama cred booooring the people want, nay, crave blood
|
# ? Apr 27, 2024 04:35 |
|
rjmccall posted:this is all pretty funny because i have nothing to do with it. well not pretty funny. slightly amusing. mostly just tiresome lol at this when it's in like year 5 of this poo poo from entrust
|
# ? Apr 27, 2024 04:40 |
|
like don't touch the poop but loving lmfao at "just give leadership a chance to handle this"
|
# ? Apr 27, 2024 04:44 |
|
the leadership had that entire span of time to cook up a response between when the first ticket was opened and when google took notice of it and they realized they actually had to bother with responding now that Someone Important was paying attention
|
# ? Apr 27, 2024 04:52 |
|
rjmccall posted:stop coordinating on offsites to ramp up the stakes for drama cred
|
# ? Apr 27, 2024 04:54 |
|
this stuff is always “coordinated in offsites” the Mozilla root program public discussion itself was described in similar “oh they’re just stirring up poo poo” terms at the beginning of CA/B, in fact, with similar “leave it to the grownups” dismissal the reason that bugzilla is the center of this stuff, and the bugs aren’t made private or closed to new-account posting, is exactly because the most active root programs consider themselves accountable to the broader web public
|
# ? Apr 27, 2024 05:04 |
|
Subjunctive posted:this stuff is always “coordinated in offsites” thanks for the color on the middle paragraph, and making clear what seemed evident just by watching the discussions
|
# ? Apr 27, 2024 05:38 |
|
after 600+ and counting posts of this poo poo there had better be some blood at the end
|
# ? Apr 27, 2024 06:00 |
|
rjmccall posted:this is all pretty funny because i have nothing to do with it. well not pretty funny. slightly amusing. mostly just tiresome i broadly think it'd be better if there is *not* blood at the end of this, but what makes it interesting (as opposed to an incredibly mundane discussion about form validation) is that it really doesn't make that much sense as a system if one goes "lets just sit silently and leadership will get back to us", as obviously the system is a hair of bureaucracy and formalia away from just being "google tells us what to trust" already
|
# ? Apr 27, 2024 07:44 |
|
After how many years should we assume that "leadership" has had a chance to address this?
|
# ? Apr 27, 2024 09:16 |
|
|
# ? May 7, 2024 08:11 |
|
The real question in my mind is the implication for the self-governance model if an organisation just refuses to be governed by it. If CAs can just ignore rules without consequences, there will come a point when a nation state or supranational organisation will decide that the model isn't working. It's not going to happen over some typos or missing fields that aren't critically important, but I can absolutely see the EU deciding that having rogue and evidently unaccountable CAs trusted on its infrastructure is not in its interest…
|
# ? Apr 27, 2024 12:13 |