Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Parodper 5 hours ago

We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.

theamk 4 hours ago | parent [-]

I trust governments much less that a conglomerate of competing corporations.

With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.

With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)

Parodper 3 hours ago | parent | next [-]

> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.

Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.

> With DANE (or other country-issued certificates)

DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.

account42 4 hours ago | parent | prev [-]

Pretty much any big government has a CA they can exert direct control over whenever needed.

theamk 4 hours ago | parent [-]

Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.

And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.

If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?

[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...

JumpCrisscross 2 hours ago | parent | next [-]

Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].

I didn’t realize the slapped their face on the pavement right after being acquired.

[1] https://en.wikipedia.org/wiki/DigiNotar

2 hours ago | parent | prev [-]
[deleted]