@bascule yeah you're right. I'm not making sense
-
-
Replying to @whitequark
@whitequark@bascule ..and don't be fooled by people trying to tell you DNSSEC will solve this. :)2 replies 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark I kind of like DNSSEC in a sort of "lesser of all evils" way :|2 replies 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark well. i don't. more possible points of compromise. not that i like WoT nor CAs. it's a mess, for sure.1 reply 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark DNSSEC authority is hierarchical, like hypothetical X.509 name constraints, but built that way from the start1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark sure. so as an attacker you have hundreds of TLDs you can compromise.1 reply 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark X.509 gives global authority to any CA in your truststore. You can literally do no worse1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark i don't disagree. that's why people are working on CT, ssl observatory, scans.io et cetera. nothing for DNSSEC so far.2 replies 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark DNSSEC needs CT too, but modelling authority hierarchically instead of flatly like X.509 reduces attack surface a lot1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark i dont like hierarchical trust by definition. btw. dkg pointed me to a draft for CT on DNSSEC (https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 …)3 replies 0 retweets 0 likes
@a_z_e_t @whitequark access control, step 0: make sure everyone doesn't have authority over everything
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.