Hacker News new | ask | show | jobs
by tptacek 2673 days ago
Again, this is a redefinition of the concept of a WebPKI trust anchor (or, for that matter, of a "trust anchor" in any PKI; it would be equally confusing to describe the Linux kernel as a "trust anchor" in a secret storage or XML signing or inter-services authentication PKI).

If you want to use an idiosyncratic definition of a term, that's fine --- I won't, but I can at least follow the argument. But what you can't do is say "that citation you provided does not say what you said it does" when it clearly does using the mainstream definition of the term. It's especially fallacious to pull out this semantic argument about a reliable source that generates a surprising conclusion about trust anchors!

DNSSEC adds trust anchors to the Web PKI.

Obviously, I disagree with the argument that we "need" DNSSEC to securely issue certificates, but the rest of this thread adequately captures my rebuttals to that argument.
1 comments
Ajedi32 2673 days ago
If you insist on such a narrow definition of the term "trust" then yes you're technically correct. But it also reduces your entire argument into one of semantics; there's no security impact to adding a new "trust anchor" as you're defining the term.
link
tptacek 2673 days ago
No, sorry, you're not getting away with that argument. We're not debating "trust"; we're debating "trust anchors". "Trust anchor" is a term of art with a specific meaning, and you can't pretend I'm the one trying to exploit a technicality when you've built an argument whose premise is an idiosyncratic redefinition of the term.

Besides that, you were just plain wrong, twice (you doubled down when I showed the quote that refuted your claim). It's fine to be wrong; I'm wrong all the time! But stubbornly refusing to acknowledge when you're plainly incorrect to the extent where you redefine words is not a good look.

link
Ajedi32 2673 days ago
Okay, that's fair. You've won the semantic argument, I was wrong to argue that DANE doesn't add new "trust anchors".

The central point of your comment is still completely wrong though. DANE does _not_ add new trusted actors, and has no significant negative security impact.

link
tptacek 2673 days ago
"Trusted actor"? Seriously?
link
Ajedi32 2673 days ago
That's the term magila used in the comment you originally replied to near the start of this thread before you started the whole semantic debate about "trust anchors". Ultimately, trust is something you place in people and organizations, not inanimate cryptographic primitives.
link
tptacek 2673 days ago
Ah, you're right, fair enough; I read it as "trust anchor" (because that's the real term). Sorry for snarking.
link