On Thu, Aug 23, 2012 at 13:12, Ryan Kirk wrote: > One thing I've never understood is that if you're MITM'd, what good is > a cert revocation going to do? The proxying individual can easily > block access to the revocation lists, and your browser be none the > wiser.
hahaha, I've seen exactly one program complain about being unable to contact the revocation server. The fucking java auto updater on windows for some reason can never make contact. > 'DNS-based Authentication of Named Entities', in my opinion, is a more > promising system than certificate pinning, as it allows web site > operators to publish certificates (or hashes of them) in DNS. However, > this would require DNSSEC to be secure (which itself seems to be mired > in controvery lately, not to mention the slow rate of adoption), and > the project at IETF appears to be mostly dead: > https://datatracker.ietf.org/wg/dane/charter/ I'm not sure if this is the same proposal as the one I saw before, but this is what really sold me on dnssec. dns is a naturally delegated hierarchy, it adapts well to a trust hierarchy.
