Hacker News new | ask | show | jobs
by tptacek 4345 days ago
First, you don't get "a single trusted root". If DNSSEC/DANE had been deployed 3 years ago, Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.

Second, and more importantly: the smaller number of trust anchors you end up with in DNSSEC are controlled by world governments.

It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.
1 comments
dlitz 4345 days ago
> ...Qhadaffi's Libyan government would have effectively been the CA for BIT.LY.

They already are, in practice. Many reputable CAs will issue certificates to anyone who can forge an MX record for a domain. With or without DNSSEC, TLD operators are capable of forging those records.

>It seems absurd to me that the Internet's response to the "global passive adversary" of NSA would be to hand the entire PKI system over to the USG formally. That's what DNSSEC does.

No, DNSSEC builds authentication into a system that is and has always been centrally controlled. And just like with the X.509 CA system, you can use pinning or Convergence or anything else you want to supplement that.

link
tptacek 4345 days ago
You shouldn't start a sentence with "no" when it confirms the sentence it's responding to.
link