Hacker News new | past | comments | ask | show | jobs | submit login

DNSSEC, TLS DANE is the proper solution for this.



DNSSEC means creating irrevocable CAs that'd be under essentially-direct control of major governments. No thanks. At least with the current system, if a CA fails to act proper, they can get smacked back. With DNSSEC, if .com starts issuing *.com certs, there's no recourse.


Huh? Your site can be already completely hijacked by the same actors. Your browser trusts a lot of CAs so VeriSign (or whoever operates the .com zone) can already issue .com certs. And your only hope is to preload your cert (which is a Chrome only thing, and pretty inefficient and inflexible).

The Convergence Project with notaries is an even better solution.

But using the DNS as the authoritative source of data and using external parties to keep an eye on that would both lead to efficiency (performance, flexibility) and security (as in from the State).


No, Namecoin is the proper solution to this.

DNSSEC is not safe:

1. It requires centralized trust which can be exploited by governments.

2. It still leaves your domain and PKI in the hands of incompetent rent-seeking registrars who can and do get socially engineered all the time.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: