On Thu, May 22, 2025 at 12:14 PM John R Levine <[email protected]> wrote:
> On Thu, 22 May 2025, Phillip Hallam-Baker wrote: > >> I understand how DANE client certs could work technically but I'm not > >> seeing much real world use for them. I know what Bluesky does, but the > domain > >> names it hands out don't really exist so they aren't useful for > federated > >> anything. > > > > You missed the point of the scheme then. > > > > My handle on Blue Sky is @phill.hallambaker.com, my domain, I control > it. I > > just added a TXT record to bind my ATmosphere DID to my address. > > Yes, I get that, I'm @jl.ly. I believe this could work technically but I > do not believe it is a problem that many people care about. > The problem people care about is having to remember a password for every site they interact with. The problem sites care about is being able to provide account like features without the hassle of managing passwords and without giving their principal competitor Facebook critical information about their site. I know passkeys is supposed to be the solution to this problem. But their scheme has proved unworkable so far and they show no signs of acknowledging they have a problem, let alone solve it. I am not looking for this as a near term solution either, using OAUTH for authentication against a DNS Handle is more than sufficient to build critical mass. OAUTH is the killer app, TLS Client Auth is like moving from HTTP/1.1 to HTTP/2. In my experience, much easier to deploy an in-flight upgrade if you plan for it in advance. > It's a lot like web3, you control your own data with cryptographic > assurances that everyone claiming to be you is the same entity, but with > DNSSEC which can scale rather than blockchains. Web3 went nowhere. I > don't see why this is different. > It is nothing at all like the Web3 schemes. It is not predicated on selling people tickets for a Ponzi scheme. It isn't exactly a surprise that name coins that cost $80 in real money every 9 months and can only be bought with a Ponizi currency based on an obnoxious ideology failed to take off. Well not to me at least. Oh and I am not predicating anything on DNSSEC, that is an option of course but only one and doesn't actually change the security very much for my application because I only use handles for first contact and for claiming an identity, it is the underlying key that is the persistent identity sites authenticate against.
_______________________________________________ dane mailing list -- [email protected] To unsubscribe send an email to [email protected]
