Ask HN: Why SSL certs are not decentralized?
Maybe a noob question: Why SSL/TLS certs are not decentralized? Is it not possible to set public key in DNS TXT record and have private key on the server. Would that not solve encryption? Why do we need SSL / TLS certs from a CA like LetsEncrypt?
28 comments
[ 3.9 ms ] story [ 57.3 ms ] threadAlthough I always thought it would be a nice feature for security conscious folks to be able to ennable. Or go ahead and use it on more sensitive sites only, e.g. banks.
https://www.cloudflare.com/en-au/learning/dns/dns-cache-pois...
At least, we could use this in situations where root cert is not part of CA stores in os/browsers.
I am a very big proponent of building things yourself (rather than using an off-the-shelf/existing solution that's similar) - whether that is tooling, or applications, or hosting your own services, and I'm particularly vocal about not making your business be shackled to specific services run by others (e.g. I'm of the opinion that offering exclusively "social login" is a huge red flag), and even I don't start complaining about "well this stack isn't really self hosted, you're still relying on the registrar for your domain!"
These so-called "tech" companies exert oversized control over the CA scheme.
Pure coincidence.
"WebPKI" Is Going Just Great.
They sit in standards bodies that could fill their moat and undermine every open effort.
It’s insidious and there’s not much anyone with less than a billions dollars of interest in the matter can do about it.
Maybe a government or mega corp like Google will fix it, but I’m not holding my breath…
See Zooko’s triangle: https://en.wikipedia.org/wiki/Zooko%27s_triangle and https://web.archive.org/web/20011020191610/http://zooko.com/...