undefined | Better HN

0 pointslmm2y ago0 comments

Using any web service requires implicitly trusting the government (in the sense of the entity that can give orders that men with guns will follow; not necessarily the party currently in power, in the case of places that have checks and balances) of wherever it's hosted. Not being also obliged to trust 170-odd other governmental and nongovernmental entities would be a step up (I know certificate transparency helps with this to a certain extent, but being a root CA is still a privileged status; really I should be able to use a .foo domain without putting any trust in entities outside foo)

0 comments

2 comments · 1 top-level

tptacek2y ago· 1 in thread

It is simply not true that using any service on the Internet requires you to trust the government. I do appreciate the clarity with which we can associate that idea with DNSSEC advocacy, though. "30 years of Internet privacy research have shown: we should just give up and let governments run the show, they're going to anyways".

Unfortunately, the IETF has categorically rejected that argument:

https://datatracker.ietf.org/doc/html/rfc7624

lmmOP2y ago

It's not that I want to trust governments more. I want to get away from the "flat list of 170+ root certificates" model because I want to trust a bunch of governments (not least that of the US) less!

Is your argument with the RFC that content exfiltration is always more costly than active network attacks? Obviously all else being equal that's true, but it's an overly simplistic model when multiple countries come into play - for a government, an active network attack against a foreign power is much more costly than any king of attack, even content exfiltration, against a company within your country.

j / k navigate · click thread line to collapse