| ▲ | theamk 4 hours ago | ||||||||||||||||||||||
I trust governments much less that a conglomerate of competing corporations. With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better. With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too) | |||||||||||||||||||||||
| ▲ | Parodper 3 hours ago | parent | next [-] | ||||||||||||||||||||||
> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage. > With DANE (or other country-issued certificates) DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries. | |||||||||||||||||||||||
| ▲ | account42 4 hours ago | parent | prev [-] | ||||||||||||||||||||||
Pretty much any big government has a CA they can exert direct control over whenever needed. | |||||||||||||||||||||||
| |||||||||||||||||||||||