undefined | Better HN

0 pointstptacek9mo ago0 comments

Incoherent. Browser vendors exert control by dint of controlling the browsers themselves, and are in the picture regardless of the trust system used for TLS. The question is, which is more centralized: the current WebPKI, which you say is also completely dependent on the DNS but involves more companies, or the DNS itself, which is axiomatically fewer companies?

I always love when people bring the ccTLDs into these discussions, as if Google could leave .COM when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail.

0 comments

3 comments · 1 top-level

teddyh9mo ago· 2 in thread

> when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail.

Why is this more likely to happen than a rogue CA issuing a false certificate?

Also, Google has chosen to trust .com instead of using one of their eleven TLDs that they own for their own exclusive use, or any of the additional 22 TLDs that they also operate.

akerl_9mo ago

When a rogue CA issues a bad cert, they get delisted from all major browsers and are effectively destroyed.

That isn’t possible with .com

teddyh9mo ago

The DNS is federated and hierarchical. A domain name (including top-level domains) is controlled by a single entity. If you do not trust that entity, you cannot trust that domain or top-level domain, or anything beneath that in the tree. But given that you trust the root zone, you can still (potentially) trust other subtrees in the DNS, like other top-level domains.

This is not the case with a CA, however; you are forced to trust all of them, and hope that when fradulent certificates are issued (as has happened several times, IIUC), that they will not affect you.

1 more reply

j / k navigate · click thread line to collapse