robryk @robryk@qoto.org
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
@kravietz @Natanox @europarl_en @EU_Commission
> Well, that’s the same class of problem as “why the regulation has to compel anyone to obtain user consent for cookies”
(I assume you refer to gdpr and not the previous law about cookie consent.) That case is about an entity doing something that the user cannot affect in a way they might want to (e.g. use a service that requires log in for an actual reason without being tracked for unrelated reasons). Here, the user's choices are made more difficult: they are deprived of an easy way to make a particular choice and deprived of the possibility to delegate that choice.
> The primary answer is: because otherwise they won’t, because it’s not in their interest.
Whose interest? Browsers? I've seen CAs with a very weak reason admitted as root CAs (I've found those cases most often by following up the original inclusion of some CAs that turned up shady afterwards). I don't see why browsers would mind, and I don't expect them to mind on principle of preferring no changes, because they behaved differently up to now.
> And what is “trusted by browsers” is 100% policy decision
Srsly, if you call the collection of whatwg specs a policy decision, then no part of any protocol isn't one. "Server needs to know the client's IP address" is then also a policy decision.
Currently, anything web that deals in nonpublic data relies on the assumption that an entity can control a domain and be the only entity able to serve responses from that domain. It's impossibly to keep any sort of nonpublic state in a browser that's not accessibly to someone who can impersonate any domain.
@kravietz @Natanox @europarl_en @EU_Commission
One more thing on the topic of process: IIUC (based on excerpts) eIDAS only provides for a procedure to dispute validity of individual certs, but not of a CA. Currently, CAB forum does distrust CAs if they repeatedly misissue certificates, esp. if that happens after they claim to have fixed the problem that later causes misissuance. Also, this is not only important when it happens, but even when it doesn't happen the possibility shapes CAs' behaviour.
@russss Do you know anything about the variance of horizontal motion over the local area?
@kravietz @Natanox @europarl_en @EU_Commission
If someone wants to make better EV, sure, I don't expect that to be very beneficial (because e.g. avoidance of misleadingly similar names across different countries is likely to be at least as large a problem), but I have nothing against it in principle (I might strongly object to implementations that end up imposing costs on unwilling participants, but I have no reason to expect any random implementation to be like that).
I don't get why the regulation has to compel anyone to trust those root signing keys, esp. for reasons unrelated to anything EV-like (yes, we can't disentangle that _now_, but I don't see why we'd want to compel that at all). I would understand the regulation compelling browsers not to trust any other root signing keys _for some subset of the org hierarchy_. We have a significant amount of history of the CAB forum to show that (a) CAs that have a reason for their existence that's not satisfied by another CA and that's relevant for HTTPS get accepted (b) CAs get distrusted in cases where they have demonstrated lack of will or ability to ensure appropriate verification before/procedure around issuing certs or to respond truthfully. Many of these cases relied on participants' knowledge about what's reasonable and about nonobvious potential consequences (v. all the amusing ways of detrusting future certs only), so I am by default doubtful that whatever procedure eIDAS provides for is going to be less manipulatable by the CAs.
It's not only GAFAD that cares mostly about DV. If the domain owner has no legal identity that is relevant (e.g. is a person), then they don't care for anything EV-like. A small business/organisation might also not care for EV, because it's just as easy for them to make people aware of the legal name as it is to make them aware of the domain (I'm not certain about legal names of 3/4 small local businesses/organisations that I could recall on the spot, but could recall the domain names of their websites). I expect that this is mostly beneficial for companies of the size of Ford or Migros, but for such companies the problem of international name near-collisions starts to appear (because the user is unlikely to reliably remember what country the company should be from).
Also, DV if important insofar it's trusted by browsers. Cookies, local storage, meaning of "same origin" are all bound to domains, not subtrees of organisation space. This make me consider DV as important for anyone who actually has users' private data and serves it back to them.
@kravietz @Natanox @europarl_en @EU_Commission
You are talking about the part where the certificate is bound to an organization name. I believe that part of the cert is basically useless, because (a) humans operating browsers won't be surprised by its lack (b) they have been conditioned to expect weird-looking organization names sometimes.
Over the parts of CAB forum history I've seen (I don't participate, just look at it once in a while) I haven't ever seen issues where a CA was issuing incorrect EV certs without also issuing incorrect DV certs. The latter did appear quite a few times, including cases where the CA tried to muddy the waters as much as they could.
For these two reasons I think that EV-like validation (i.e. validation that isn't affected by the domains the cert is bound to) is a complete red herring in the CA system. I understand that people want to make it not a red herring, but the immediate change here is making these CAs able to issue DV certs (or am I wrong?).
Elektryczny.
Why do crows care about the location of owls?
I don't know if you know Scandinavia and the World, but this reminds me of of https://satwcomic.com/bad-boy
@delroth Mhm, that makes sense, but it's really weird that it's such a large difference (never over years vs. multiple times within a week).
When you say more limited, do you mean that the target doesn't see the message before they agree to the invite or something else?
I receive ~no invite spam on Matrix (not only no message spam, because that's impossible). I'm curious why the amount of invite spam on Matrix is smaller than the amount of /msg spam on IRC.
@sophieschmieg Doesn't TLS have alert messages (sent inside the encrypted stream) for "I'm not going to send anything on this connection anymore and am closing it"?
@agturcz można też ją wrzucić do czajnika (i w ten sposób zmniejszyć liczbę momentów, gdy trzeba coś zrobić)
I wonder what's your opinion on, instead of having the prospective gift-receiver prepublish wishes, having the prospective gift-giver ask them explicitly.
@lcamtuf it does involve backwards time travel (communicating with the daughter from the "tesseract"). I was thinking of e.g. Lem's Return from the Stars
@lcamtuf or it's only time travel forward (e.g. everything that involves large amounts of time dilation).
Braunwald has basically no road connection (there's some narrow winding road, which I'm surprised doesn't have problems with jams caused by inability to pass), which makes this sounds slightly less weird.
I'm amused by the implication that the same helicopter will be used to bring mail up and down.
@mjg59 Now that I think of this some more, I wonder whether it would make sense to have a way to specify rules like "every commit has to be signed in a way that satisfies <foo> or has to be an ancestor of commit <bar>", so that one can do effective rotations of signing keys while not having to trust the repo storage to do all the verification (i.e. while allowing the same verification to happen when e.g. cloning).
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
