undefined | Better HN

Better HN

Top Best Ask Show New Jobs

0 pointsmatthew92193y ago0 comments

TLS security is rooted in DNS. It's ACME DNS-01. If your threat model includes nation states, this is a non-solution

0 pointsmatthew92193y ago0 comments

TLS security is rooted in DNS. It's ACME DNS-01. If your threat model includes nation states, this is a non-solution

0 comments

6 comments · 3 top-level

rakoo3y ago· 3 in thread

Wrong, TLS security is independent from DNS. If my threat model includes nation states I'll trust my own certificates or my very own CA.

teddyh3y ago

By trusting certificates, you implicitly trust all CAs, not just your own.

tptacek3y ago

You trust your browser's root program, not "all CAs".

1 more reply

rakoo3y ago

No, again in that threat model I can decide exactly which certificates and which CA I trust, one by one.

shp0ngle3y ago

If your threat includes nation states then DNSSEC is double-useless?

Avamander3y ago

If your threat model includes nation-states then DNSSEC won't help you either. WebPKI at least has a method for keeping track of and detecting misissuance, DNSSEC doesn't.

j / k navigate · click thread line to collapse