Um.. no? Those are DNSSEC keys, so they do not really matter. AFAIK, no one is using DANE yet, so what’s the worst that someone with access to those keys do?
Modify unencrypted traffic? Cause DOS attacks? This can be done without the keys already
Blockchain technology, and in other words, a distributed, decentralized record store shared across multiple participants, is the perfect technology to disrupt the heavy centralization of naming.
This is one of the few places the use of a blockchain will shine.
I highly doubt it. We’d still have a dispute process and law mandated domain transfers, so there would need to be a centralized regulator. The transparency is nice, but you do not need full blockchain for this - something like SSL’s Certificate Transparency would work much better.
But, will it actually be more secure than what is described in the article (how do you protect against sybil attack? what if there is a zero day in some piece of software in the block chain stack?)
Because for now it's the only mechanism that we all use to do lookups. Magnet links are too tedious to give out over the phone - domain names are catchy and memorable and can be easily said over the phone. This is why people brute force Tor .onion addresses to something memorable, like Facebook's .onion https://facebookcorewwwi.onion/ And I suspect if you start using magnet links that people will find a way to make them memorable too
We will have a monopoly on X because that’s what we all use and that’s how we’ve always done it. No alternatives are needed.
- Well does that reason work well in any other area of life?
“Too tedious to give over the phone” - usually you give a business card or email a link of sms a link. And all you can give over the phone is
A easy to pronounce domain name
With no ambiguities
With a common tld
And even then, ALL you can do is give out the homepage. Any other resource deeper on your site — and you don’t use your phone do you?
Do you use the phone to give out the URL of an article on nytime.com or video you posted on youtube? Thus the VAST MAJORITY of links you don’t give out on the phone.
If you DO want to give something out on the phone then people can just google for it. Or use another search engine
DNS is literally the search engine with the least features. Google lets youfind any resource within your site, and even lets you misspell stuff. How is that not strictly better?
To summarize:
ICANN monopoly is replaced with search engines, which do far more than find your homepage from an exactly spelled domain
Magnet links can be memorable via search engines
Links are usually NOT to the homepage and are not really human dictated anyway (eg youtube)
Tunnelling an internet resource address through a phone conversation is pretty bad anyway, but better to allow innovation in it like searchh engines or just text the link afterwards (as most people do)
Links are usually replaced with nice-looking thumbnails and titles in UI
In Javascript and other languages, it’s no big deal to hold magnet links in variables.
There is a second way to look at DNS: together with CA system, it proves the website identity. When an email sends me to payment page, I look at address to confirm: yep, it says “hsbc.com”, I can enter my financial details there. Or: It says “ubuntu.com”, I can download software from there.
For that to work, there needs to be a single registry, with human mediators and subject to legal process. I want to know that even if company loses control of their private key (like microsoft.com did once), the sitation will still be resolved very fast.
Note that strictly speaking, this is about CA system, not about DNS. But those systems are deeply linked to each other, so it makes no sense to replace one while keeping the other one around.
Proving to X that you’re Y doesn’t have to involve a monopoly either. Who says someone can’t bribe Google Places or a CA and say that a domain matches a restaurant. How do they reliably check millions of businesses anyway? Don’t we rely on lots of third parties, network effects and our own experience anyway?
In short, X could use stuff like Verified Claims by Z to find out facts about Y. The collection of those facts make up its identity to X. None of this needs a centralized database.
When you lose control of a private key for your stuff, the solution isn’t to run to some daddy corporation which also has it and could impersonate you the whole time. You can have eg Shamir Secret Sharing with 5 other people. You could have part of a backup key derived from a known passphrase or biometrics. And so on.
Glad you mentioned Network Effects[0]. I forgot to mention that in my original comment. So yeah; that's why DNS is popular & centralized; the more people that use the network, the more valuable the network.
Re "digital-imprimatur" text -- I am sorry, I could not get through it. The first part of it seems to be boring explanation of basic internet concepts; the second part seems to be full of wild predictions which do not seem to be coming true (I have been hearing about personal certificates for the web since passport.com introduction in 1999)
Re proving to X that you are Y: there is a well known difference between authentication vs authorization that is easy to overlook. In case of domain names, "authentication" roughly means "same entity owns the name", and "authorization" means "I know something about the entity".
Having readable domain names is critical to linking things to the real world. For example:
- I wrote my email on (paper) new patient form. Doctor now can send me messages and know they will get to me and not someone else.
- I was visiting my favorite food store and saw a sign saying "Visit www.LATastyMarket.com for coupons". I can now go to that site and expect to get to the right store.
- My friend told me that Ubuntu is a well known organization and does not distribute malware. I can go to ubuntu.com and download software from that site.
In all of those cases, I do not care about "Claims by Z to find out facts about Y". The collection of facts about ubuntu.com is useless to me (unless it says "it is that thing you were talking with your friend about yesterday during lunch"). I need an identity -- short string which I can remember and recognize again. If there is a mechanism which prevents typos for high value targets, this is even better.
> When you lose control of a private key for your stuff [...] you can have eg Shamir Secret Sharing with 5 other people. You could have part of a backup key derived from a known passphrase or biometrics.
Yes I could, but why would I do this? I have seen (and designed) a security process for my work. It is a complex process, with separated servers, restricted privileges, detailed logs, automated alerting. It takes a significant amount of stuff to maintain. I could do the same for my home computer, but it is significant amount of work and time, and I have more interesting ways to spend my time.
A human has a limited amount of time in their life. While I can bake my own bread (for example), I buy it from the bakery instead, and spend my time on more interesting things. Same is with security -- I do not want to mess with Shamir Secret Sharing, I am happy to delegate it to someone else. (And do not say "it is easy" or "it just needs a good UI". Storing secrets is inherently hard, and any easy solution is likely insecure)
