1. 4

  2. 3

    I find this kind of article annoying (“I don’t know anything about this topic so here’s my criticism of my own guesses”) but I would love to read a follow-up describing what they think “straight binary x.509” looks like. :)

    1. 1

      Honestly I just want to see a DHT-based domain system to come in use. GNS of the GNUNet project exists but it really doesn’t seem to be in regular usage.

      1. 1

        Note to self, read the whole article before commenting!

        1. 1

          Tying DNS and TLS together is a bit like tying L4 and L7 protocols together: it’s a minor optimization that makes systems much harder to reason about by eliminating a layer of abstraction. Of course, Google is tying L4 and L7 protocols together with QUIC, but I don’t think we should encourage the same behavior again.

          1. 1

            If sending a certificate chain during the TLS handshake is really adding that much overhead, then maybe there’s another argument for widespread adoption of DANE and simplification of TLS? Then a server could just send an unadorned public key without all that cert chain rigamarole, and the client verifies the fingerprint against DNS.

            For that matter, ED25519 public keys are pretty tiny; they could fit comfortably in a TXT record. Let’s do that. The server wouldn’t even need to send along its public key at connect time, because the client got it from DNS, most likely from a cache that is much closer to the client than the server is.

            All of this assumes DNSSec.

            Let’s help the CA dinosaurs find their asteroid.