| ▲ | MarleTangible 9 hours ago |
| I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built. |
|
| ▲ | happosai an hour ago | parent | next [-] |
| It is such a great improvement that ISPs cannot eavesdrop us anymore... only for everyone to terminate TLS at cloudflare so they (and thus US government) can now eavesdrop everyone. |
|
| ▲ | account42 4 hours ago | parent | prev | next [-] |
| Do we also need to put all our letters into strongboxes before we send them? Maybe we should have solve the ISP snooping problem by making that illegal instead. |
| |
| ▲ | theamk 3 hours ago | parent [-] | | This just leaves every single public Wifi network - which used to mess with traffic a lot | | |
|
|
| ▲ | Parodper 5 hours ago | parent | prev | next [-] |
| We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals. |
| |
| ▲ | theamk 4 hours ago | parent [-] | | I trust governments much less that a conglomerate of competing corporations. With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better. With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too) | | |
| ▲ | Parodper 3 hours ago | parent | next [-] | | > every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage. > With DANE (or other country-issued certificates) DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries. | |
| ▲ | account42 4 hours ago | parent | prev [-] | | Pretty much any big government has a CA they can exert direct control over whenever needed. | | |
| ▲ | theamk 4 hours ago | parent [-] | | Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example. And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party. If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country? [0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov... | | |
| ▲ | JumpCrisscross 2 hours ago | parent | next [-] | | Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1]. I didn’t realize the slapped their face on the pavement right after being acquired. [1] https://en.wikipedia.org/wiki/DigiNotar | |
| ▲ | 2 hours ago | parent | prev [-] | | [deleted] |
|
|
|
|
|
| ▲ | thaumasiotes 2 hours ago | parent | prev [-] |
| > I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Note that phones already try to prevent you from using a certificate that you provide yourself. |
