top | item 46143658

(no title)

donpdonp | 2 months ago

it seems like all this infrastructure could be replaced by a DNS TXT record with a public key that browsers could use to check the cert sent from the web server. A web server would load a self-signed cert (or whatever cert they wanted), and put the cert's public key into a DNS record for that hostname. Every visit to a website would need two lookups, one for address and one for key. It puts control back into the hands of the domain owners and eliminates the need for letsencrypt.

discuss

akovaski|2 months ago

I'm not sure what that would solve. You would still need some central entity to sign the DNS TXT record, to ensure that the HTTPS client does not use a tampered DNS TXT record.

tzs|2 months ago

If someone can tamper with your DNS TXT records now they can get a certificate for your domain.

ryangibb|2 months ago

E.g. DNS-Based Authentication of Named Entities? https://www.rfc-editor.org/rfc/rfc6698

There's a TLSA resource record for certificates instead of a TXT encoding.

As far as I know no major browser supports it, and adoption is hindered by DNSSEC adoption.

pennomi|2 months ago

Ah but then how would nations spy on people by compromising the root certificate?

pgporada|2 months ago

You're insinuating that the Let's Encrypt roots are compromised?

https://letsencrypt.org/repository/#isrg-legal-transparency-...