Discuss mailing list

[Coyo <coyo AT darkdna.net>]

Yeah, it's a horrendous situation. All too many engineers don't see or comprehend the threat, and I find that a sad and somewhat detestable thing. I understand that many engineers can't comprehend a threat that they participate in, and I can understand that, but most of those engineers don't call whether to seize a domain or to raid a data center. They can't comprehend what that does to an otherwise free and worthwhile society, much less to an already fundamentally flawed one.

Although in theory, OpenPGP can be used for not only automated server-to-server communications, but serverless communications with the reliability, reachability, security, privacy and convenience for which servers are used at all.

Although the Internet was originally designed with end-to-end connectivity with no inherent distinction between clients and servers in terms of centralized data centers and the inability to host servers at home if you wanted to do so, the reality is that data centers are king, and NAT firewalls restrict everything we say and do online, and expose our private information in unexpected and insidious ways.

I have personally been experimenting with NAT-centric P2P designs that not only function in multiple layers of synchronous or bidirectional PNAT firewalls, but thrive in it, abandoning the original design and architecture of the Internet as a whole in favor of security, privacy and functionality.

It is not ready to be widely exposed, much less used, but the important part is to prove the concept.

On 11/28/2013 03:44 PM, Trevor Nelson wrote:

To build on Coyo's point: https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

The link dates from 2010 when people by and large didn't believe that this would become an issue. I agree the CA system is absolutely and fundamentally broken, centralizing the entire cryptographic identity power within a few corporations. Would could possibly go wrong?

VeriSign can't be trusted as far as they can be thrown as they're notorious for seizing domains at the behest of lobbying organizations and the US government. I've seen a couple of proposals for moving away from the CA system but nothing concrete. I'd like to do more research into that area as I think it is one of the major risks to next-gen privacy in a world where every organization is seemingly spying on you. I realize it is out of the scope of this list a bit, but I do think it is a conversation worth having.

On 11/28/2013 3:20 PM, Coyo wrote:

Hmm.

We need an alternative server-to-server authentication system to the CAs. The CA system is proven to be broken. Don't believe me? Call +1 415 436 9333 to contact the Electronic Frontier Foundation. Ask about Certificate Authority abuses such as forged signatures by Verisign and GoDaddy, and how ICE domain seizure is possible.

Although Comodo is relatively trustworthy (compared to Verisign), all Certificate Authorities are high-value targets for litigation or even private property raids and seizures. What a bunch of jackbooted Nazis.

I'd say use PGP, but that cryptosystem is not intended for server-to-server communications, and relies on manual involvement.

Isn't there a system proposed somewhere that let you place PGP certs in a DNS record? Wasn't there an RFC somewhere that proposed PGP-TLS extensions? I vaguely recall somewhere that there were some DNS records intended for the ability to use DANE to provide all authentication, without a single x.509 certificate anywhere. I'm pretty sure there was a proposed DNS record type to provide a PGP-signed x.509 certificate via DANE, but the reason I don't remember any of this is because the standardization organizations are 100% shills of corporations and governments.

As you may have gathered from previous commentary, I'm not a big fan of corporations and governments. I'm an anarchist, and I always will be.

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org