[Ach] bettercrypto.org cert blocked in chrome 56
alice at librelamp.com
Fri Dec 2 12:34:16 CET 2016
On 12/02/2016 02:37 AM, Terje Elde wrote:
>> On 02 Dec 2016, at 10:18, Alice Wonder <alice at librelamp.com> wrote:
>> DNSSEC locks the user into fingerprints signed by my private signing key. This is not a signing key that the TLD has access to.
>> You can argue that a nefarious actor could create their own signing key and get the TLD to sign the DS records associated with that key, but that is a very visible action that would be seen in the DNS responses from the TLD. It's out in the open.
> Yes, unless you selectively serve out the signed records.
> Quite honestly though, my main concern with DNSSEC as compared to HKPK is adoption-rate really.
Yeah, I know DNSSEC adoption is presently rather low. For me personally,
popularity is not what warrants merit.
Microsoft Frontpage use to be extremely popular, that didn't make it a
The popularity of HPKP is the result of Google pushing it on the
industry after developing it in private themselves. They did not involve
the Internet community in its design until after it was already
implemented in Chrome.
I'm tired of letting Google rule the Internet. But that's not a
technical objection, technical objections I already listed, but it would
have been nice if HPKP could have been developed in an open manner where
those issues maybe could have been addressed before it was put into use.
More information about the Ach