@bascule what I mean is that a single failure in well-deployed DNS has small impact. maybe "decentralized" is not the right word
@a_z_e_t @whitequark DNSSEC needs CT too, but modelling authority hierarchically instead of flatly like X.509 reduces attack surface a lot
-
-
@bascule@whitequark i dont like hierarchical trust by definition. btw. dkg pointed me to a draft for CT on DNSSEC (https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 …) -
@a_z_e_t@whitequark hierarchy is at least more secure than flat, IMO. X.509 is the worst (every CA has authority over everything) -
@bascule@whitequark anything is more secure than X.509. that doesn't make hierarchical trust the optimum. i don't have a solution as well. -
@a_z_e_t@whitequark I don't know a better solution that stands a practical chance of being deployed... -
@a_z_e_t@whitequark ...if I didn't have a day job already I'd probably work on the problem -
@bascule@whitequark so quit. :) i've told myself for a year now that i'm going to look into BGP trust relationships. too much work curr. -
@a_z_e_t@whitequark but it pays well and I'm still learning a lot. I don't think I'm ready to tackle the hard problems yet
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.