[cryptography] The Trouble with Certificate Transparency

Nicolai nicolai-cryptography at chocolatine.org
Sun Sep 28 18:46:42 EDT 2014

On Sun, Sep 28, 2014 at 05:18:33PM -0400, Paul Wouters wrote:
> On Sun, 28 Sep 2014, Nicolai wrote:
> >On Fri, Sep 26, 2014 at 10:31:00PM -0400, Paul Wouters wrote:
> >
> >>But we have other decentralised methods that have better privacy (such
> >>as dnssec
> >
> >DNSSEC is not encrypted, so it has no privacy.  It even leaks data that
> >DNS doesn't.  I just checked, and all 5 Eyes plus China and Russia
> >support DNSSEC.
> You took it out of context. What I wrote was about certificate checking:
> 	Of course, one has to be careul not to make the same privacy mistakes as
> 	CRL/OCSP did. But we have other decentralised methods that have better
> 	privacy (such as dnssec, onion sites or whatever blockchain variation
> 	you think is stable infrastructure)
> This is about the privacy of sending centralised entities a request for
> some "certificate validation" every time you visit their website by performing
> a "certificate check". Like sending Comodo a OCSP request everytime I
> visit https://privacy.org.
> A better method for distributing such certificate validity information
> is using DNS(SEC), as those queries are are cached and decentralised. No
> single entity can track those back to me. There is no direct link
> between my DNS query for TLSA of privacy.org versus someone else's,
> if it is going through ISP caches, external DNS providers, etc etc.

I understand your point and agree -- all I'm saying is that this is a
property of DNS, not DNSSEC.  By calling DNSSEC (specifically) a privacy
method, some people will incorrectly assume that DNSSEC is encrypted.
Because of such statements, it's a common misconception, and that's
worth addressing.

Would you agree that DNSCrypt is more of a "privacy method" than DNSSEC
in this context, since DNSCrypt inherently decouples the client from the
resolver, unlike DNSSEC, which can be run on localhost?


More information about the cryptography mailing list