[Ach] bettercrypto.org cert blocked in chrome 56

[Alice Wonder]

On 12/02/2016 02:37 AM, Terje Elde wrote:
>
>> On 02 Dec 2016, at 10:18, Alice Wonder <alice at librelamp.com> wrote:
>>
>> DNSSEC locks the user into fingerprints signed by my private signing key. This is not a signing key that the TLD has access to.
>>
>> You can argue that a nefarious actor could create their own signing key and get the TLD to sign the DS records associated with that key, but that is a very visible action that would be seen in the DNS responses from the TLD. It's out in the open.
>
> Yes, unless you selectively serve out the signed records.
>
> Quite honestly though, my main concern with DNSSEC as compared to HKPK is adoption-rate really.

Yeah, I know DNSSEC adoption is presently rather low. For me personally, 
popularity is not what warrants merit.

Microsoft Frontpage use to be extremely popular, that didn't make it a 
good product.

The popularity of HPKP is the result of Google pushing it on the 
industry after developing it in private themselves. They did not involve 
the Internet community in its design until after it was already 
implemented in Chrome.

I'm tired of letting Google rule the Internet. But that's not a 
technical objection, technical objections I already listed, but it would 
have been nice if HPKP could have been developed in an open manner where 
those issues maybe could have been addressed before it was put into use.