• rentar42@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    No, DNSSEC simply moves the trust problem around a bit, but there’s no fundamentally different answer to the question of “who do I trust to verify who someone is on the internet”.

    The CA system is terrible, but I’m not aware of any system thats a.) technically “better” by some relevant measure and b.) still sufficiently convenient (a technically perfect system that no one can use correctly is still pointless).

    There’s several steps to make the CA system less terrible with things like certificate transparency logs, but those really only help to find out if a CA was abused, not really to avoid it. It’s an improvement, but it’s of the “we can kick out untrustworthy/incompetent CAs after they abused their power/messed up their security” kind and not of the “this prevents abuses of CA power” kind.