10
1
To avoid the problems caused by the current SSL certificate infrastructure, the Electronic Frontier Foundation has proposed Sovereign Keys, which appears to be backed by a distributed, append-only datastructure that can grow to hundreds of gigabytes. That sounds awfully familiar to a block chain. Are there similarities between Sovereign Key and Bitcoin (or Namecoin)? Do they employ a related approach or is this just a superficial similarity?
Note that the "sovereign keys" design document explicitly states that it "bootstraps from and reinforces existing PKI techniques". https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=HEAD
– eldentyrell – 2011-12-19T07:27:38.163So the gist is basically that instead of relying on separate entities to issue SSL certificates, you are using the authorities that you already need to trust if you are using DNS? – Thilo – 2011-12-20T02:40:39.230
2If you're using SSL you don't actually trust the DNS system -- you rely on it for a service. Just like you don't trust your ISP, but you rely on them to forward packets for you. The DNS system could return bogus IP addresses just as easily as your ISP could send your packets to the wrong destination. They can deny you service, but cannot deceive you. – eldentyrell – 2011-12-20T10:17:54.357
So where is this central trust that you speak of located then? And don't I have to trust DNS for DNSSEC trust anchors? – Thilo – 2011-12-20T11:41:41.273
3
No. DNSSEC-enabled operating systems ship with the public keys of the centralized DNSSEC root bundled in to the software -- much like how browsers ship with the CA's public keys built in to them. If your DNS provider tries to point you to the wrong server, your DNSSEC-enabled OS will notice because the record that comes back won't be signed correctly. I'm not saying any of this is a good idea, of course; just explaining how DNSSEC works. More info is here: http://www.root-dnssec.org/
– eldentyrell – 2011-12-21T07:46:10.990