On Sun, May 24, 2015 at 2:53 AM, Marko Rauhamaa <[email protected]> wrote: > Steven D'Aprano <[email protected]>: > >> On Sat, 23 May 2015 10:44 pm, Marko Rauhamaa wrote: >>> Here's an idea: an authentication is considered valid if it is >>> vouched for by the United States, China, Russia *and* the European >>> Union. Those governments are the only entities that would have the >>> right to delegate their respective certification powers to private >>> entities. >> >> If you gave them veto power over all certificate authorities (since >> you need all four to agree, any of them can veto a CA), > > No, they wouldn't be able to veto a CA. At worst, they would be able to > refuse you a certificate. If they did that, they would risk being > dropped from the power pool.
You start out by saying it's valid if vouched for by X, Y, Z., *and* A. That means that if it's vouched for by X, Y, and A, but not Z, then it's not valid. That gives Z the power to veto any certificate. Correspondingly each of the others. Alternatively, you could say that it's valid if vouched for by *any* of your authorities... but then you have the same situation as currently, where multiple authorities can create identical certificates. You could try for some kind of voting scheme, where it takes X/2+1 authorities to create a certificate (so you'd need three of your four, or if you added a fifth (say Japan), then three out of the five); but this just entails ridiculous overheads for uncertain benefit. Also, there's one huge question outstanding: Since when should country governments and the EU be in charge of any of this? ChrisA -- https://mail.python.org/mailman/listinfo/python-list
