Has anyone here looked into "Namecoin" at all? I must admit I've only seen a two line reference about it and meant to follow up but haven't had the time.
https://en.wikipedia.org/Namecoin Do you think the same distributed approach could be applied to certifying SSL-like connections? Sorry if this question seem naive. I have no deep knowledge of internet protocol structure or function. -------------------------------------------- On Mon, 8/19/13, Ben Laurie <[email protected]> wrote: Subject: Re: [liberationtech] verifying SSL certs (was Re: In defense of client-side encryption) To: "liberationtech" <[email protected]> Date: Monday, August 19, 2013, 3:41 AM On 14 August 2013 10:46, Guido Witmond <[email protected]> wrote: On 08/14/13 15:18, Ben Laurie wrote: > On 14 August 2013 08:54, Guido Witmond <[email protected] > <mailto:[email protected]>> wrote: > > On 08/13/13 19:42, Andy Isaacson wrote: > > On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote: > >> There is another problem. You rely on HTTPS. Here is the 64000 > >> dollar question: > >> > >> Q._"What is the CA-certificate for your banks' website?"_ > >>> [snip] > I too have given up on expecting security from the global CA's. That's > why I want to see DNSSEC succeed. > > > DNSSEC merely transfers the problem to registries and registrars, who > are no more reliable than CAs. You need to solve the problem of having > to trust third parties before DNSSEC will work (which is the same > problem you need to solve for CAs), Yes, there is trust involved, but there is a difference. With CA's anyone can sign a certificate for any site. It's a race to the bottom with no winners. Not even the CA's as they can't differentiate between themselves. The consequence is that no one trusts any of them. And who likes to do business with a party he doesn't trust but needs anyway? With DNSSEC, I have the choice of registrar. If there is a bad apple, I choose another who I find better worth my money. > And, sorry to bang on about it, but > the answer is Certificate Transparency. BTW, my team is about to start > looking at DNSSEC Transparency, too. Don't bang to hard: DNSSEC and CT solve the same problem. This is not correct. The problem is that there is no registry that specifies which of the Global Certificate authorities is the one you should trust to validate a server-certificate. The mess we have right now is that each of the Global CA's can sign a server certificate. Hence my 64000 dollar question. Both DNSSEC and CT solve the problem. Albeit in different ways with different pros and cons. With DNSSEC and DANE, the site operator specifies *a priori* which CA he uses to sign the server certificates. It can be a self signed certificate. With CT, you register which CA has signed a certificate for a web site *after the fact*. Not really. The registration occurs before the cert can be used. We need them both! To keep the CA's and registrars honest. I really appreciate your work on CT. CT does not keep registrars honest. This is why you need DNSSEC transparency. Guido. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected]. -----Inline Attachment Follows----- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected]. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
