Convergence: User-controlled SSL certificate checking

Posted Oct 28, 2011 18:29 UTC (Fri) by sblack (guest, #81076)
In reply to: Convergence: User-controlled SSL certificate checking by michi
Parent article: Convergence: User-controlled SSL certificate checking

Marlinspike addresses DNSSEC at the end of his talk and on his blog [1]. The short version is, you're just moving the trust around. There is, if anything, less reason to trust GoDaddy.com to keep their servers secure than there is to trust VeriSign.

[1] http://blog.thoughtcrime.org/

Convergence: User-controlled SSL certificate checking

Posted Oct 29, 2011 14:37 UTC (Sat) by michi (guest, #60274) [Link]

Hi!

I agree with you that shifting the trust to DNS providers will not really solve much. But my point was actually: If the dnssec cannot be trusted, why should perspectives be trusted?

However, I still think DNSSEC is good. First it can be implemented additional to CAs, so there are 2 layers of security. Second, only the dns provider can compromise a specific site and not a huge number of unrelated organisations.

The approach I like best is using .onion like addresses with the crypto key encoded in the url.