undefined | Better HN

0 pointsmatthew92192y ago0 comments

TLS security is rooted in DNS. It's ACME DNS-01. If your threat model includes nation states, this is a non-solution

0 comments

Wrong, TLS security is independent from DNS. If my threat model includes nation states I'll trust my own certificates or my very own CA.

teddyh2y ago

By trusting certificates, you implicitly trust all CAs, not just your own.

tptacek2y ago

You trust your browser's root program, not "all CAs".

1 more reply

rakoo2y ago

No, again in that threat model I can decide exactly which certificates and which CA I trust, one by one.

shp0ngle2y ago

If your threat includes nation states then DNSSEC is double-useless?

Avamander2y ago

If your threat model includes nation-states then DNSSEC won't help you either. WebPKI at least has a method for keeping track of and detecting misissuance, DNSSEC doesn't.

j / k navigate · click thread line to collapse

0 comments

rakoo2y ago

Wrong, TLS security is independent from DNS. If my threat model includes nation states I'll trust my own certificates or my very own CA.

teddyh2y ago

By trusting certificates, you implicitly trust all CAs, not just your own.

tptacek2y ago

You trust your browser's root program, not "all CAs".

1 more reply

rakoo2y ago

No, again in that threat model I can decide exactly which certificates and which CA I trust, one by one.

shp0ngle2y ago

If your threat includes nation states then DNSSEC is double-useless?

Avamander2y ago

If your threat model includes nation-states then DNSSEC won't help you either. WebPKI at least has a method for keeping track of and detecting misissuance, DNSSEC doesn't.

j / k navigate · click thread line to collapse