On Sun, Sep 28, 2014 at 05:18:33PM -0400, Paul Wouters wrote: > On Sun, 28 Sep 2014, Nicolai wrote: > > >On Fri, Sep 26, 2014 at 10:31:00PM -0400, Paul Wouters wrote: > > > >>But we have other decentralised methods that have better privacy (such > >>as dnssec > > > >DNSSEC is not encrypted, so it has no privacy. It even leaks data that > >DNS doesn't. I just checked, and all 5 Eyes plus China and Russia > >support DNSSEC. > > You took it out of context. What I wrote was about certificate checking: > > Of course, one has to be careul not to make the same privacy mistakes as > CRL/OCSP did. But we have other decentralised methods that have better > privacy (such as dnssec, onion sites or whatever blockchain variation > you think is stable infrastructure) > > This is about the privacy of sending centralised entities a request for > some "certificate validation" every time you visit their website by performing > a "certificate check". Like sending Comodo a OCSP request everytime I > visit https://privacy.org. > > A better method for distributing such certificate validity information > is using DNS(SEC), as those queries are are cached and decentralised. No > single entity can track those back to me. There is no direct link > between my DNS query for TLSA of privacy.org versus someone else's, > if it is going through ISP caches, external DNS providers, etc etc.
I understand your point and agree -- all I'm saying is that this is a property of DNS, not DNSSEC. By calling DNSSEC (specifically) a privacy method, some people will incorrectly assume that DNSSEC is encrypted. Because of such statements, it's a common misconception, and that's worth addressing. Would you agree that DNSCrypt is more of a "privacy method" than DNSSEC in this context, since DNSCrypt inherently decouples the client from the resolver, unlike DNSSEC, which can be run on localhost? Nicolai _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography