[cryptography] The Trouble with Certificate Transparency
nicolai-cryptography at chocolatine.org
Sun Sep 28 18:46:42 EDT 2014
On Sun, Sep 28, 2014 at 05:18:33PM -0400, Paul Wouters wrote:
> On Sun, 28 Sep 2014, Nicolai wrote:
> >On Fri, Sep 26, 2014 at 10:31:00PM -0400, Paul Wouters wrote:
> >>But we have other decentralised methods that have better privacy (such
> >>as dnssec
> >DNSSEC is not encrypted, so it has no privacy. It even leaks data that
> >DNS doesn't. I just checked, and all 5 Eyes plus China and Russia
> >support DNSSEC.
> You took it out of context. What I wrote was about certificate checking:
> Of course, one has to be careul not to make the same privacy mistakes as
> CRL/OCSP did. But we have other decentralised methods that have better
> privacy (such as dnssec, onion sites or whatever blockchain variation
> you think is stable infrastructure)
> This is about the privacy of sending centralised entities a request for
> some "certificate validation" every time you visit their website by performing
> a "certificate check". Like sending Comodo a OCSP request everytime I
> visit https://privacy.org.
> A better method for distributing such certificate validity information
> is using DNS(SEC), as those queries are are cached and decentralised. No
> single entity can track those back to me. There is no direct link
> between my DNS query for TLSA of privacy.org versus someone else's,
> if it is going through ISP caches, external DNS providers, etc etc.
I understand your point and agree -- all I'm saying is that this is a
property of DNS, not DNSSEC. By calling DNSSEC (specifically) a privacy
method, some people will incorrectly assume that DNSSEC is encrypted.
Because of such statements, it's a common misconception, and that's
Would you agree that DNSCrypt is more of a "privacy method" than DNSSEC
in this context, since DNSCrypt inherently decouples the client from the
resolver, unlike DNSSEC, which can be run on localhost?
More information about the cryptography