Quoting Stéphane Glondu (2013-05-17 08:14:13) > Le 16/05/2013 18:37, Russ Allbery a écrit : > >>> You could, in theory, switch to DNSSEC, but now you're just > >>> replacing one CA cartel with another. > > > >> Except that with DNSSEC (and DANE), the number of people you have > >> to trust is much smaller. > > > > Right, it depends on what your risk model is. If you're defending > > against incompetence and/or commercial greed overriding security > > practices, DNSSEC looks a lot more appealing than the CA cartel, > > since there isn't the same level of commercial incentive to cut > > corners and do a crappy job (there's some, but it's not as bad). > > But if you're defending against governments, DNSSEC isn't going to > > help. I think it's best to assume that both the US and Chinese > > governments, at least, can make DNSSEC say what they want it to if > > they ever needed to. > > That might be, but you already have to trust the "DNS cartel" anyway > for resolving domain names (which is needed in WebID, BrowserID, ...). > You don't have to give trust to new entities when using DNSSEC.
...as long as using WebID with DNS-based URIs. Some may choose to use e.g. .onion-based WebID URIs (using custom authentication mechanisms until more formally defined), where data processing uses exact same tools, and where data can be intermixed with more classic "cartel-infected" nodes. ...which means WebID allows for an evolutionary migration to cartel-free web, for those wanting that but does not believe it can happen in one go, and those wanting that for a subset of the internet while also wanting to seemlesly exchange with legacy webs. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130517083256.29499.50...@bastian.jones.dk
