Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Https login

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Https login

Chronological Thread 
  • From: Trevor Nelson <trevor AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Https login
  • Date: Thu, 28 Nov 2013 15:44:50 -0600

To build on Coyo's point:

The link dates from 2010 when people by and large didn't believe that this would become an issue. I agree the CA system is absolutely and fundamentally broken, centralizing the entire cryptographic identity power within a few corporations. Would could possibly go wrong?

VeriSign can't be trusted as far as they can be thrown as they're notorious for seizing domains at the behest of lobbying organizations and the US government. I've seen a couple of proposals for moving away from the CA system but nothing concrete. I'd like to do more research into that area as I think it is one of the major risks to next-gen privacy in a world where every organization is seemingly spying on you. I realize it is out of the scope of this list a bit, but I do think it is a conversation worth having.

On 11/28/2013 3:20 PM, Coyo wrote:

We need an alternative server-to-server authentication system to the CAs. The CA system is proven to be broken. Don't believe me? Call +1 415 436 9333 to contact the Electronic Frontier Foundation. Ask about Certificate Authority abuses such as forged signatures by Verisign and GoDaddy, and how ICE domain seizure is possible.

Although Comodo is relatively trustworthy (compared to Verisign), all Certificate Authorities are high-value targets for litigation or even private property raids and seizures. What a bunch of jackbooted Nazis.

I'd say use PGP, but that cryptosystem is not intended for server-to-server communications, and relies on manual involvement.

Isn't there a system proposed somewhere that let you place PGP certs in a DNS record? Wasn't there an RFC somewhere that proposed PGP-TLS extensions? I vaguely recall somewhere that there were some DNS records intended for the ability to use DANE to provide all authentication, without a single x.509 certificate anywhere. I'm pretty sure there was a proposed DNS record type to provide a PGP-signed x.509 certificate via DANE, but the reason I don't remember any of this is because the standardization organizations are 100% shills of corporations and governments.

As you may have gathered from previous commentary, I'm not a big fan of corporations and governments. I'm an anarchist, and I always will be.

Archive powered by MHonArc 2.6.19.

Top of Page