I trust governments much less that a conglomerate of competing corporations.
With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.
With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)
Companies have run some absolutely outstanding PR then.
I have never worked in any company where I explicitly trust the CEO to always do the right thing in every situation.
There is usually no governance board, or review system to inquire about public harm: those things are usually external and fought against as they are regulatory burden.
So, in practice what tends to happen is that someone in the company just does stuff. Since humans aren't perfect this "doing stuff" is not always super enjoyable. If it's the CEO who "does stuff" then you're cooked because nobody except the board of directors can say anything meaningful: you gotta hope that the media wants to put pressure on.
Our elected officials on the other hand, are supposed to represent us, and thus media pressure is a lot stronger; issues that affect many people are meant to be properly reflected, and their decisions are open by default.
I'm not really in favor of DANE, because DNSSEC is such a mess ... but.
Certificate transparency is nice. Browsers could require it for DANE certificates, just like they require it for current Web PKI certificates.
The people controlling the TLD of interesting can exert control over the domain of interest in order to issue a DANE certificate. But they can also exert control over the domain of interest in order to request a domain control certificate, so widespread use of DANE wouldn't add any new adversaries. If DNSSEC wasn't a mess, and DANE replaced WebPKI, we would eliminate the risk from CAs without adding a new risk --- TLDs (and the DNS root) are existing risks.
And if they don't, DNS is already a database. You could just query domains to check their certificates. People running recursive DNS servers could double-check certificates.
CT seems useless for DANE because the cert is self signed, so anyone can just flood the CT with self signed certs for your website. It's useful with WebPKI because only certs signed by a CA go in CT and it's a big deal if one is mis-issued. Anyone can mis-issue a self-signed cert at home for fun.
You'd have to do something like pre-publish in DNS, submit to CT which verifies that it's in DNS before logging. And the CT could rate limit on domain name or something to reduce abuse.
> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.
Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.
> With DANE (or other country-issued certificates)
DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.
DANE is entirely dependent on DNSSEC, and DNSSEC is, by design, under the government control, with all the bureaucratic mess and mistakes this implies.
This would be pretty terrible if anyone actually cared about DNSSEC, but luckily for us, no one cares.. So let's keep things this way.
Domain registries can already get a certificate for your domain by changing the address to their own server temporarily and then doing ACME with LE. So no new vector is introduced by directly putting the cert in DNS.
> I trust governments much less that a conglomerate of competing corporations
Let's not create a world wide PKI based on a political ideology.
> country-issued certificates [...] every government will absolutely double-issue certificates
This is such a strange argument. If you register a .ru domain, do you really think you are safe should the Russian intelligence services ask for a valid certificate? Controlling the actual domain, they could issue ask many domain validated certificates as they wish.
The problem with our current SSL PKI, as so very many people have pointed out over the years, is that any CA is allowed to issue valid certificates for any domain name. There have been proposals to use X.509 extensions to remedy this, but they have seen lesser real world usage than the various certificate revocation schemes, which is very close to zero already.
If there was no way for a Russian CA to issue certificates for .us domains, real world security would improve. A lot. And the other way around, of course.
Feel free to s/Russian/Chinese/ in the above argument or whatever tickles your geopolitical fancies. The argument still stands.
Domain registries decide who owns what domain. That is their literal role. You would think that asserting this ownership cryptographically would be a no-brainer in 2026. Yet we have this discussion over and over again. There are many people whose income quite literally depend on the status quo of our global SSL PKI, which coincidentally also offers no end of possibilities for the various intelligence services around the world.
The next time someone tries to scare you with that governments or intelligence services control DNS and therefore it would be crazy to limit issuance of certificates to them, take a look where they have contracts.
> The problem with our current SSL PKI, as so very many people have pointed out over the years, is that any CA is allowed to issue valid certificates for any domain name. There have been proposals to use X.509 extensions to remedy this, but they have seen lesser real world usage than the various certificate revocation schemes, which is very close to zero already.
Some of the browser root programs include (or have included) restrictions on what tlds a CA is allowed to sign. I think for some of the iffier CAs that nonetheless had a huge marketshare in their country of origin.
No need for the CA itself to include it in their root certificate.
It would be handy if the name restrictions actually worked though. Then you could probably get a CA to sign an intermediate CA authorized only to issue certs for your domain(s). There are some CAs that will do that already where they provide an HSM with the intermediate CA's key that will only sign certs for authorized domains, but the CA cert does not encode the constraint and this is permitted by the ca/b agreement. It just seems like it'd be nicer if it just worked.
It's not that high of a requirement. The sub-CA is allowed to self audit. But the original CA does have to check a percentage of certificates issued by the sub-CA.
So that's not going to be free. But it might be possible to do it if you were big enough to pay for it. I have dreams of having my private CA also signed off on by webpki so apps and browsers could use the same servers without having to include webpki in my apps.
I also started going down this rabbit hole when I wanted my homelab to just work in any device, and for advanced use cases Let's Encrypt isn't enough. I tried long and hard to get a sub-CA certificate, but apparently that's in the realm of «if you need to ask, you can't afford it».
If each country could only sign its own domains it would make sense. If the US could only tamper with .us domains the system could be trusted in general. After all, that's no worse than what they already do by coming to your house and putting a gun to your head.
Yeah, that's why most countries in EU, as well as US, are in a huge dissarray, politicians have all time low approvals, people vote for something and get the opposite, and the economy and social climate turned to shit...
I guess one doing well enough can be oblivious to all this...
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.
And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.
If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?
Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].
I didn’t realize the slapped their face on the pavement right after being acquired.
If there is video and a text post, I think the text post is almost always better (except for the few rare cases where the text description is inadequate, like woodworking etc ...). The long videos where author just spends time talking are annoyingly slow, and looking at graphs in video player is simply miserable.
Thank eletrek for converting information yo a much faster to comprehend form!
This is not an example of that. It is perfectly within US jurisdiction to prevent US companies from doing business with sanctioned countries. That is the point of a sanction, and US is in good company in choosing to use sanctions as a diplomatic tool.
It is more of an example of how the internet/software industry is too consolidated to the US, and thus other countries are too dependent on the US in those areas. If the internet infrastructure was well distributed, then people in sanction countries could simply get certificates issued by a different CA, and in some cases they can. However, this is complicated by the fact that the list of trusted CAs is dominated by US organizations (Google, Mozilla, Apple, Microsoft). If you want to reach western audience you must use certs from a CA approved by them.
Exactly. Ever since I was a kid I never understood how the US has jurisdiction way beyond their borders.
Then I graduated in International Relations and understood that the hole is much deeper than that.
Now it's pretty obvious with all the shit that trump has been doing, but back then me and much of the people I know were oblivious to what US power really means.
US law is something US citizens get to decide. If they think it's "batshit", they should vote accordingly. In this case sanctions seem a pretty good alternative to going to war.
It's clear that those who voted recently for the President are getting what they wanted. Voting made a radical difference, even if the outcome isn't one I like. Whatever "studies" you read are obvious nonsense.
To be fair the US is a bit on an outlier here, as it is not afraid to come down on US companies for things subsidiaries do in other jurisdictions, on questionable grounds. So it would not be enough for Let's Encrypt to operate a European operation to sign European certificates.
Should the US wish to sanction the Hague, somewhat famous for its international court of justice, they would absolutely go after ISRG and it would not be enough for them to sever the ties of the hypothetical Let's Encrypt Europe. That would not be legal or last least highly questionable in most other democratic countries.
Of course not! just find viable alternatives to Microsoft, Apple, Mozilla, YCombinator, Google, Intel, AMD, ...
In all seriousness, as an American I'd love to see a healthier, more well-distributed tech industry, but I don't see many companies stepping up to provide competing services. It's my understanding that china has alternatives to many of these products/services, but I really don't see how anyone in Europe could possibly use a US-free internet.
> but I don't see many companies stepping up to provide competing services
Maybe because the US dropped most of its anti trust regulations, leading to ridiculously monopolistic practices such as "acquire everything that may be threatening".
When was the last time you heard about a European cellphone manufacturer, or social media network, or web browser being acquired by an American monopoly?
I can only think of Nokia, purchased by microsoft in 2014. Those phones ran windows CE before that even, so you could hardly have avoided the american tech industry.
All I'm trying to say is, it's impossible for Europeans to both A) be on the internet and B) avoid the US tech industry.
In the EU there is the threat of jail time if a user of your service does something bad and you haven't completed the necessary bureaucracy to be immune to it. This is the opposite of the US. See for example pissmail.
that's why the world need to wake up. With the due respect of any political beliefs here, in the course of politics any country can be deemed the US enemy (or any other country's enemy as a matter of fact), so for example firing the 3/4 of the company because we have Claude and ChatGPT (US based) is a major business continuation flaw...
I think a lot of older drivers (both filesystem and device) should move to userspace. There are no requirements for high performance for something like EFS, and fuse/libusb interfaces are significantly more stable that kernel internal structures.
That's "integrated information Φ"? Did you know you can raise it using dramatically easier way: just run a matrix multiplication with reed-solomon decoder, as in the one used by CD and DVD players [0].
A matrix multiply seems much easier than neural networks, mutation, genetic operations - and still have much higher Φ.
This sounds good, but this requires that there is a way to store non-dangerous secrets. Security can't just say, "stop storing secrets in plaintext" if removing them will bring developers to halt.
Sadly many security teams are just theater, introducing inconvenience without any tangible benefits. They will happily harass developers for having a CVE in the _internal documentaion tool_ which gets nowhere close to untrusted input, but at the same time will happily approve internal tool which keeps the credentials in a plain-text file and would recommend that tool to everyone.
It would be super cool if you chose 20-100 queries (both common and niche) and shown the sample search results for those.
Those would be completely cached/pre-rendered, so the cost would be very low and there will be no potential for abuse. And yet the visitors could at least get some idea about the quality of your search engine.
reply