Reply to post: Re: All I want to know

CloudFlare drinks the DNSSEC kool-aid, offers it on universal basis

PyLETS
Big Brother

Re: All I want to know

It doesn't offer any protection against the proposed snoopers charter directly. However, once sufficiently widely adopted, it enables developing more widely used cryptography (e.g. for email contents and addresses) based on a better chain of trust than the current CA system. Under the CA COT, any one bad CA out of several hundred can compromise any domain. Under the DNSSEC COT, those in a position to compromise your chain of trust is likely to be exposed (by signing collectable and provably false statements about any lower-level key they compromise), and held to account in connection with this proof resulting in massive reputation damage. Another advantage of the DNSSEC COT is you can choose whichever top level domain or registrar you do trust to verify your identity and keys, by establishing your identity within their namespace.

Obviously anyone concerned about this should manage their own private keys themselves - the DNSSEC or CA COT are concerned about how other parties verify the identity associated with these keys. Those without the technical capacity to do so are likely to pick a trusted provider to do this for them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022