

These are not the SSL certs you're looking for - sp332
http://dankaminsky.com/2011/08/31/notnotar

======
moxie
I think that Dan is heavily invested in trying to "fix" DNS, and that he's
arrived at DNSSEC as a way to do that. The problem for him, like most DNSSEC
advocates, is that nobody cares about DNSSEC, and so it's not really
happening.

People are starting to care about CAs, though, and so it seems convenient for
DNSSEC advocates to hitch their wagon on a solution to _that_ issue, because
it might actually get DNSSEC moving.

The trouble is that they don't really get the problem. The problem with CAs
today is a lack of trust agility, and instead of improving trust agility,
DNSSEC makes it worse.

People object that we already have to trust the TLDs and the registrars, that
it's already bad, that we're already beholden to parties we wish we weren't. I
don't understand how this resonates with anyone -- if we acknowledge that
things are bad, we should be trying to move away from that, not throwing our
hands up, embracing it, and moving towards it.

------
tptacek
I do not follow what this post is trying to say.

First, many grafs about what appears to be a wild goose chase for a forged
Facebook cert that turns out to be real.

Then, ruminations on OCSP and serial number assertions, with the apparent idea
that we need better cryptographic methods to deal with CAs that misbehave so
that we don't have to apply the Internet CA Death Penalty so often.

Then the notion that we have "1500 CAs", so what we really need to do is
invest every DNS zone with CA powers (because if 1500 is too many, millions is
better?).

We need fewer CAs.

We need to apply the Internet CA Death Penalty _way more often_. I think we
should do it at random, just to keep people on their toes.

We need a better mechanism for determining CA roots than "the right set of
tickets was filed in Mozilla Bugzilla".

We need a better UX for certificate failures.

None of these things require profound infrastructure changes. Smart people can
build this stuff as a side project. Moxie Marlinspike is doing exactly that
with CONVERGENCE.IO.

~~~
tedunangst
_Then the notion that we have "1500 CAs", so what we really need to do is
invest every DNS zone with CA powers (because if 1500 is too many, millions is
better?)._

I think you've shot rather wide of the mark here. Every DNS zone does _not_
have CA powers, at least not in the sense that payp4l.com could vouch for
paypal.com. Sure, paypal can bone up their own zone. Or .com screws up (that'd
be bad). But an honest appraisal would recognize that the dnssec solution
means there is exactly one CA _per_ domain and you know in advance who it is.
That's way better than having to guess which of 1500 CAs is the legit signer.

~~~
tptacek
You're right; the "1500 vs. 1,000,000" thing was an unfair potshot.

