Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Https login

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Https login

Chronological Thread 
  • From: Trevor Nelson <trevor AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Https login
  • Date: Sat, 30 Nov 2013 02:29:53 -0600

This is absolutely a discussion worth having, since it seems to me that the structures of accountability that people take for granted on the internet are becoming more political and dangerously more centralized. Since your average internet user or even an engineer only works with a subset of the internet, they cannot possibly be familiar with all of the mechanisms that put it together.

I might have to do some research into OpenPGP. Just as recently as this week I've finally moved my domain to a full VPS where I have configured my own secure email server. Therefore I have the means to experiment with this technology, at least on my mail server. It looks as if you run your own server too, it might be worth testing to shoot some emails back and forth. I think your NAT-centric P2P designs sound like a fascinating concept and definitely would be worth testing out.

Some readers of this thread might think that this has nothing to do with the OpenNIC and may not belong on this list but I think the discussion of internet infrastructure overall is an important one to have since the whole point of a secure, democratic DNS is lost if other parts of internet infrastructure are not managed in the same fashion.

On 11/28/2013 10:38 PM, Coyo wrote:
Yeah, it's a horrendous situation. All too many engineers don't see or comprehend the threat, and I find that a sad and somewhat detestable thing. I understand that many engineers can't comprehend a threat that they participate in, and I can understand that, but most of those engineers don't call whether to seize a domain or to raid a data center. They can't comprehend what that does to an otherwise free and worthwhile society, much less to an already fundamentally flawed one.

Although in theory, OpenPGP can be used for not only automated server-to-server communications, but serverless communications with the reliability, reachability, security, privacy and convenience for which servers are used at all.

Although the Internet was originally designed with end-to-end connectivity with no inherent distinction between clients and servers in terms of centralized data centers and the inability to host servers at home if you wanted to do so, the reality is that data centers are king, and NAT firewalls restrict everything we say and do online, and expose our private information in unexpected and insidious ways.

I have personally been experimenting with NAT-centric P2P designs that not only function in multiple layers of synchronous or bidirectional PNAT firewalls, but thrive in it, abandoning the original design and architecture of the Internet as a whole in favor of security, privacy and functionality.

It is not ready to be widely exposed, much less used, but the important part is to prove the concept.

On 11/28/2013 03:44 PM, Trevor Nelson wrote:
To build on Coyo's point:

The link dates from 2010 when people by and large didn't believe that this would become an issue. I agree the CA system is absolutely and fundamentally broken, centralizing the entire cryptographic identity power within a few corporations. Would could possibly go wrong?

VeriSign can't be trusted as far as they can be thrown as they're notorious for seizing domains at the behest of lobbying organizations and the US government. I've seen a couple of proposals for moving away from the CA system but nothing concrete. I'd like to do more research into that area as I think it is one of the major risks to next-gen privacy in a world where every organization is seemingly spying on you. I realize it is out of the scope of this list a bit, but I do think it is a conversation worth having.

On 11/28/2013 3:20 PM, Coyo wrote:

We need an alternative server-to-server authentication system to the CAs. The CA system is proven to be broken. Don't believe me? Call +1 415 436 9333 to contact the Electronic Frontier Foundation. Ask about Certificate Authority abuses such as forged signatures by Verisign and GoDaddy, and how ICE domain seizure is possible.

Although Comodo is relatively trustworthy (compared to Verisign), all Certificate Authorities are high-value targets for litigation or even private property raids and seizures. What a bunch of jackbooted Nazis.

I'd say use PGP, but that cryptosystem is not intended for server-to-server communications, and relies on manual involvement.

Isn't there a system proposed somewhere that let you place PGP certs in a DNS record? Wasn't there an RFC somewhere that proposed PGP-TLS extensions? I vaguely recall somewhere that there were some DNS records intended for the ability to use DANE to provide all authentication, without a single x.509 certificate anywhere. I'm pretty sure there was a proposed DNS record type to provide a PGP-signed x.509 certificate via DANE, but the reason I don't remember any of this is because the standardization organizations are 100% shills of corporations and governments.

As you may have gathered from previous commentary, I'm not a big fan of corporations and governments. I'm an anarchist, and I always will be.

You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT

You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT

Archive powered by MHonArc 2.6.19.

Top of Page