Hacker News new | past | comments | ask | show | jobs | submit login

Governments today have too much control over Internet crypto keys. I am baffled by arguments that suggest it might be a good thing to just give up and give them total control over them.



Today many many governments can create TLS certs for any website domain.

With DNSSEC, only the USA can, and other governments can only create TLS certs for a small and distinct subset of website domains. That's better.

(It would be even better if dns resolvers included certs for all TLDs they knew about, and did not rely on the root keys for those TLDs. Just like pinning TLS certs. Then, you can choose a TLD run by an organization you trust, and even the US won't be able to forge your certs.)


> With DNSSEC, only the USA can, and other governments can only create TLS certs for a small and distinct subset of website domains. That's better.

I fail to see how that is better.


Less organisation that can forge = less weak-points = better security


And if the government or anyone creates a bogus cert for a TLS domain, you can exclude it from your cert store. DNSSEC, not so much.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: