@bascule @whitequark sure. so as an attacker you have hundreds of TLDs you can compromise.
-
-
Replying to @a_z_e_t
@a_z_e_t@whitequark X.509 gives global authority to any CA in your truststore. You can literally do no worse1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark i don't disagree. that's why people are working on CT, ssl observatory, scans.io et cetera. nothing for DNSSEC so far.2 replies 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark DNSSEC needs CT too, but modelling authority hierarchically instead of flatly like X.509 reduces attack surface a lot1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark i dont like hierarchical trust by definition. btw. dkg pointed me to a draft for CT on DNSSEC (https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 …)3 replies 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark hierarchy is at least more secure than flat, IMO. X.509 is the worst (every CA has authority over everything)1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark anything is more secure than X.509. that doesn't make hierarchical trust the optimum. i don't have a solution as well.1 reply 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@whitequark I don't know a better solution that stands a practical chance of being deployed...1 reply 0 retweets 0 likes -
Replying to @bascule
@a_z_e_t@whitequark ...if I didn't have a day job already I'd probably work on the problem1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@whitequark so quit. :) i've told myself for a year now that i'm going to look into BGP trust relationships. too much work curr.1 reply 0 retweets 0 likes
@a_z_e_t @whitequark but it pays well and I'm still learning a lot. I don't think I'm ready to tackle the hard problems yet
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.