DNS is decentralized. Except when everyone uses the same nameserver provider and goes down at once when it gets hit by DoS
@a_z_e_t @whitequark I kind of like DNSSEC in a sort of "lesser of all evils" way :|
-
-
@bascule@whitequark well. i don't. more possible points of compromise. not that i like WoT nor CAs. it's a mess, for sure. -
@a_z_e_t@whitequark DNSSEC authority is hierarchical, like hypothetical X.509 name constraints, but built that way from the start -
@bascule@whitequark sure. so as an attacker you have hundreds of TLDs you can compromise. -
@a_z_e_t@whitequark X.509 gives global authority to any CA in your truststore. You can literally do no worse -
@bascule@whitequark i don't disagree. that's why people are working on CT, ssl observatory, scans.io et cetera. nothing for DNSSEC so far. -
@a_z_e_t@whitequark DNSSEC needs CT too, but modelling authority hierarchically instead of flatly like X.509 reduces attack surface a lot -
@bascule@whitequark i dont like hierarchical trust by definition. btw. dkg pointed me to a draft for CT on DNSSEC (https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 …) -
@a_z_e_t@whitequark hierarchy is at least more secure than flat, IMO. X.509 is the worst (every CA has authority over everything) - 5 more replies
New conversation -
-
-
@bascule@a_z_e_t@whitequark DNSSEC is much worse than the evils we have now. -
@tqbf@bascule@whitequark yes. thanks for helping out here ;) -
@a_z_e_t@bascule@whitequark I feel like I wrote an 8,000 word blog post about this. Oh, wait: I did, and just never hit “Publish”. :P -
@tqbf@bascule@whitequark that would at least make it more efficient for me to tell DNSSEC idolizers to fuck off, so please do! -
@a_z_e_t@tqbf@whitequark I don't actually like DNSSEC but it feels right architecturally and getting traction on something new is hard -
@bascule@tqbf@whitequark TACK felt right. and got ignored. building upon WoT/CA bullshit still doesn't I agree. new protocols please! -
@a_z_e_t@tqbf@whitequark most of what@trevp__ does gets ignored despite the fact he's one of the world's most brilliant cryptographers -
@bascule@a_z_e_t@tqbf@whitequark Ha!, for the record I agree with none of that :-) - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.