Re: [projectvrm] Minimum viable VRM web site or service

[Brian Behlendorf < >]

On Fri, 16 Jan 2015, Henrik Biering wrote:
> DNSSEC+DANE is another option whereby you can replace the risk of just one 
> out of hundreds of CA's being exploited to relying only on the security of 
> your own server as well as your DNS operator:
> http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec
> None of the standard browsers support this (too good relations with the 
> CA's?), but plugins are available for both Chrome, Firefox, IE and Safari:
> https://www.dnssec-validator.cz/

Thanks for the link!  Been meaning to try that out.  Quite happy to see 
the projects and websites already supporting it, e.g. 
https://www.freebsd.org/.

I can see some of Mozilla's concerns for core integration but I bet 
they'll be worked through.
https://wiki.mozilla.org/Security/DNSSEC-TLS-details


On Thu, 15 Jan 2015, Johannes Ernst wrote:
> > On Jan 15, 2015, at 16:01, Henrik Biering 
> > <
> >  >
> >  wrote:
> >
> > The Public Key Pinning that you reference is not scalable.
>
> Which aspect do you think would not scale?
>
> For example, if I have an existing relationship with site A, and site A 
> has a hyperlink to site B (which is the predominant way of finding out 
> about new sites anyway), site A could also vouch for site’s B keys. In 
> fact, it probably shouldn’t have a link to B unless it is quite certain 
> who B is :-)

He wasn't talking about your web of trust proposal, he was talking about 
the thing I mentioned, the way Google and Mozilla hard-code certificates 
for specific web sites into their respective browsers, so that they can't 
be forged on the network.  Great for their respective websites and a few 
other popular ones they include, but not a general-purpose solution.

Brian