Oh! That is a good way to conflate the issue. "It's for signing and verification."

That definitely has almost nothing to do with TLS and browsers. Why does my browser need to verify national ID cards? (no need to answer that)

It's not a "security check" it's just informing the user about their certs...

the certs let the authorities issue new certs for anyone they want, e.g. your email provider, and your browser won't be allowed to verify whether those certifications are valid or not, to notify the user

The second they do that the entire internet is going to download it to see what the fuss is about.

While they could legally do that, it's going to blow up in their face if they did it. I remember the old crypto export wars in the US and OpenBSD being based in Canada so they could ship string crypto in SSH.

Did you mean strong crpyto? String crypto makes no sense in the context.

> don't leave sensitive data out there

Where "out there" is Okta. You are basically saying: Don't leave sensitive data with Okta.

"yet another Okta compromise" sounds passive to you?

802.1x. At least that was what could be used 12 years ago. I don't know about state of the art now.

> Make it a legal requirement for parents to set up this option for their children on every device they use.

Why? Let the parents decide -- they now have the controls they need.

> Make it illegal to send invalid "safe content" headers.

Just make them cryptographically signed. Anything without a valid signed header is "adult".

> Just make them cryptographically signed.

Yes this is better, let some organisation issue these signatures.

For a ‘reasonable’ fee of course.

Hashicorp wouldn't have a successful product if they hadn't open sourced their code.

Now that they are entrenched, they want to change rules (and whine about it) because it makes them more money.

Isn't that totally different? I thought brick and mortar stores actually buy inventory (or commit to buy orders in this age of just-in-time) where Amazon is just the middleman connecting buyers and sellers and charging fees on both ends.

If Amazon wants to commit to certain sizes of orders, I'm sure the vendors will be happy with contractual price setting.

Amazon warehouse inventory is held ahead of time. That's how the commitment to some stock levels works today.

So every URL is a trespass unless you have explicit permission?

If you say the protocol determines authorization, then the Fizz protocol granted them authorization. I don't have a clear answer here because it is messy.

Its not all or nothing. The law is literally decided on a case by case basis.

Going to the home page of a public website is clearly authorized access. Creating admin users for yourself on someone else's server without permission is clearly unauthorized access. Any judge or jury would agree.

It depends on how you uncovered the URL and what's behind it: your intent, which is most of what matters here.