[kwlug-disc] Let's Encrypt out of beta
Hubert Chathi
hubert at uhoreg.ca
Tue Apr 19 12:38:58 EDT 2016
On Fri, 15 Apr 2016 21:02:51 -0400, Paul Nijjar via kwlug-disc <kwlug-disc at kwlug.org> said:
>>
>> But the real solution to basic web encryption isn't Let's Encrypt,
>> it's DNSSEC + DANE.
> I happened to run into this today, which is a differing opinion:
> http://sockpuppet.org/blog/2015/01/15/against-dnssec/
A lot of his arguments aren't quite correct. One of the biggest ones is
in the "DNSSEC is a Government-Controlled PKI" section, where he says:
"Had DNSSEC been deployed 5 years ago, Muammar Gaddafi would have
controlled BIT.LY’s TLS keys." For one thing, he's overstating things:
Gaddafi would have had control over what TLS public key is considered
authoritative, but bit.ly's TLS secret key would still be secret. For
another thing, in this case, it would have been *only* Gaddafi who could
have replaced bit.ly's public key, in contrast to the current situation,
where there are hundreds of organizations/governments/etc (including
.ly) who can already do that.
EasyDNS has a good rebuttal http://blog.easydns.org/2015/08/06/for-dnssec/
More information about the kwlug-disc
mailing list