[wav-part]

Current: Google need to watch all CAs.

DNSSEC: Google need to watch .com and dnsroot.

Which one is better ?

----

(I am ratelimited so posting here rather than reply to the child post by tptacek https://news.ycombinator.com/item?id=18889809)

Of course they can. There is literally no legal or otherwise difference between Verisign and .com. Chrome can do whatever it want, cause its Google's browser not .com's.

In case when .xxx becomes dishonest, you can just move to your own gtld or .more-trustable tld. In current system, there is no concept of ditching a CA. If a CA decided to missmap a name and you are too small, you are fked.

> it’s actually 1, or 1 AND 2

No you can have DNSSEC without CAs. I have explained that already without changing much of the tls. Basically example.com DNSSEC key become CA for example.com. example.com then would create a tls cert in the usual way. No pain.

[akerl_]

“You can just move to your own <other TLD>” isn’t even remotely plausible. Any site with worthwhile traffic isn’t going to just forklift to a new TLD and convince all their users to switch over. Imagine if .com was considered untrustworthy and suddenly every user in the US had to use google.othertld, facebook.othertld, etc.

[topranks]

Yeah but if .com is untrustworthy then the game is up.

The operator of .com can use their control over it to get a valid TLS cert issued by any number of CAs.

So the situation is no different currently, trust in the DNS is essential.

[tptacek]

Again if that's true then the game is up, because the USG obviously controls .COM; they theatrically demonstrate that every time they take down a piracy site. But, spoiler! The game turns out not to be up.

[tptacek]

The former, for several reasons, among them the fact that those actually aren’t the options (it’s actually 1, or 1 AND 2), and the fact that Google can’t end .com they way they did Verisign.

But feel free to ask the relevant team at Google, who will give you the same answer.