> How is it any better than cacert? Because you pin the trust to your own ca?
There is no third-party to trust between you and the domain you want to visit (again, assuming the blockchain doesn't lie), so you really have the information the domain owner wants you to have.
Well, the blockchian lying is one thing -- another thing is if it tells the truth about lies ("it" has been lied to).
I suppose my confusion stemmed from the fact that dnschain is two things: a way to secure data, and an infrastructure for registering data. Apparently there's no trust at the point of registration, which means the whole thing is entirely untrustworthy from a certain point of view (I don't necessarily thing this is a bad thing/feature -- it's just that without any form of vetting, there can be only a certain "kind" of trust), on the other hand if you trust the registration, you can trust your queries to return data that has been registered.
With the/a CA system, you can trace trust trough keys back to organizations/individuals (that either act in bad faith, or has been compromised) -- but detecting such bad behaviour is out of scope of the CA system.
A traditional DNS server does not give you access to blockchain-based domains. Blockchain TLDs (like .bit) can be MITM-proofed. DNSChain also lets you communicate with blockchains over a MITM-proof HTTPS connection:
https://github.com/okTurtles/dnschain/blob/master/docs/What-...
> not that such metadata isn't rather obvious anyway by observing traffic between ips.
Tor is your best option if you want complete anonymity. DNSChain does have a planned feature called Unblock, which is effectively a DNS-based proxy that hides metadata as it travels between client and DNSChain, but if you want the best anonymity you should still use Tor.
DNSChain is a secure PKI solution (alternative to X.509), the primary purpose of which is to securely and simply distribute public keys, as that's what provides protection from MITM attacks.
> How is it any better than cacert? Because you pin the trust to your own ca? What stops you from doing that now (how is the trust different with dnschain?).
CACert is a CA. You can certainly design your software to only trust certificates from one CA, but that is only useful in special-purpose situations, it's not going to work for general purpose browsing.
In X.509, everyone on the Internet is forced to trust the weakest link, and security decreases for everyone with the more CAs there are. The opposite is true with DNSChain-based PKI, where the more independent servers that are queried, the more certain you can be of the authenticity of the response. If you completely trust a particular DNSChain server, then it's the only server you need to query.
> If you completely trust a particular DNSChain server, then it's the only server you need to query.
I guess this is the part that is still unclear to me: How is this different from a curated list of pinned certs coupled with a ca cert store that holds only my own ca cert? How can/why should I trust a dnschain server to validate google.com? Because there is ample evidence in the blockchain that others have been tricked by/trusted a particular key/cert for google.com?
Will this be a problem for low-end phones? Why not ECC certificates?
That's a great suggestion, thank you. I chose to use RSA because it has excellent browser support and I don't know how good the browser support for ECC is. If anyone has any useful links/info on this I'd appreciate it very much. Note that you can of course generate and use whatever sort of key/cert pair you'd like.
