Hacker News new | ask | show | jobs
by palmotea 8 days ago
> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
2 comments
account42 8 days ago
You could that with a much saner approach like DANE.
link
franga2000 8 days ago
Not back when SSL and the PKI ecosystem was developed.
link
trumpdong 7 days ago
Yes actually you still could've. But it would require a pass through the IETF to stabdaddize a DNS record type, and that would delay Netscape's release.
link
franga2000 7 days ago
Any DNS-based solution needs something like DNSSEC to work. I believe DNSSEC didn't exist yet when HTTPS was being developed and even if it did, it wasn't anywhere near ubiquitous enough. Is it even these days?
link
tptacek 7 days ago
No, fewer than 5% of North American DNS names are signed, and the number has gone down over some recent years.
link
account42 7 days ago
That's kind of like saying that any CA-based solution needs something like a root program. Sure, but that would just be part of creating a DANE-like solution. Both the current CA solution and DANE or another hypothetical DNS-based solution are fundamentally similar on a technical level: hierarchical delegation of authorization backed by public key crypto. The main difference is where on the delegation chain you limit authority for further delegation and who controls the root. The DNS-based approach has the crypto system reflect real ownership while the CA-based approach has browsers makers at the top and whoever pays enough money and hasn't publicly fucked up yet at the middle with delegated authority to sign literally everything.
link
tptacek 7 days ago
That's one way to put it. Another way to put it is that the CA system keeps cryptographic trust managed by organizations that can easily be destroyed if they fail, while DANE's trust is practically irrevocable.
link
watwut 8 days ago
I always thought the main goal was to force people to pay money for certificates.
link
ekr____ 8 days ago
Let's Encrypt certificates are free.
link