| ▲ | grishka 4 days ago |
| I want a middle ground. Identity verification is useful for TLS, but I really wish there was no reliance on ultimately trusted third parties for that. Maybe put some sort of identity proof into DNS instead, since the whole thing relies on DNS anyway. |
|
| ▲ | immibis 3 days ago | parent [-] |
| Makes it trivial for your DNS provider to MITM you, and you can't even use certificate transparency to detect it. |
| |
| ▲ | grishka 2 days ago | parent [-] | | You can use multiple DNS providers at once to catch that situation. You can have some sort of signing scheme where each authoritative server would sign something in turn to establish a chain of trust up to the root servers. You can use encrypted DNS, even if it is relying on traditional TLS certificates, but it can also use something different for identity verification, like having you use a config file with the public key embedded in it, or a QR code, instead of just an address. |
|
