Re: Quic: the elephant in the room

[Phillip Hallam-Baker <phill@hallambaker.com>]

The number of people signing is utterly irrelevant. Nothing was ever
secured by creating a digital signature, not once, not ever.

Only VERIFYING digital signatures provides security. And nobody knows what
to do when DNSSEC validation fails so nobody really does it and nobody is
likely to if people keep trying to apply 1990s thinking to 2020s problems.

What this means for NFTs is left as an exercise for the reader...


On the trust root issue. Alice should be the root of trust for Alice, Bob
should be the root of trust for Bob. That is what I have been building. And
with an application that secures data at rest without rendering it unusable.

What if Alice could register a lifelong callsign enrolled in an append only
log which is ultimately notarized by every relying party?

@alice -> [key: <alice's root key>, service: @provider]
@provider -> [key: <provider root key>, DNS 10.10.10.10]

What is this, well we have roots of trust for Alice and her Mesh service
provider. And her service provider publishes the authoritative zone
alice.mesh from an alt.root DNS service at 10.10.10.10 and this is DNSSEC
signed under a root key countersigned under <alice's root key> providing
security policy information and the TLS certs are signed under a chain
cross certified by <alice's root key>.

If six people here tell me they have read the drafts, I will add IPv6 to
the testbed service when it goes live later this year.


If successful, this will disrupt the business model of every CA that does
not have the foresight to become a Mesh Service Provider in which case the
threshold approach I make use of will provide them with significant and
more substantial new business opportunities.

The core concept of the callsign registry is that it is 'number portability
for the Internet'. Alice owns @alice for life. The only time a callsign is
ever reassigned without consent is when it is a trademark issue. I
predicted the anti-trust storm and I have thought of a way out.

Of course the callsign registry will have to be public goods administered
through a not for profit. Callsigns have to be sufficiently cheap to create
that we can give everyone on the planet at least one. DNS names cost
$10/yr. I want to make names available for $0.10 for life. At that price
banks and health care providers will likely find it cheaper to by them on
behalf of customers who haven't got one yet.


On Sat, Apr 10, 2021 at 4:50 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Sat, Apr 10, 2021 at 12:59:34PM -0700, Michael Thomas wrote:
>
> > Yeah, I was trying to verify whether google, amazon and facebook sign
> > but it appears not? my dig fu is admittedly bad so I might be full of it
> > (hopefully).
>
> The largest US-based Internet companies have not yet signed their DNS
> zones.  The DNSSEC-signed domains among the top 500 Alexa-ranked sites
> are:
>
>     europa.eu 53
>     nih.gov 62
>     paypal.com 81
>     cloudflare.com 91
>     chaturbate.com 115
>     cdc.gov 118
>     canva.com 158
>     stanford.edu 173
>     nasa.gov 198
>     force.com 201
>     time.com 208
>     salesforce.com 211
>     doi.org 235
>     foxnews.com 238
>     padlet.com 254
>     thestartmagazine.com 256
>     themeforest.net 258
>     debian.org 271
>     berkeley.edu 279
>     statcounter.com 285
>     addtoany.com 290
>     mediafire.com 309
>     taboola.com 313
>     ikea.com 321
>     loc.gov 331
>     pixabay.com 334
>     ietf.org 336
>     pki.goog 344
>     irs.gov 349
>     discord.com 354
>     fda.gov 375
>     avito.ru 385
>     hubspot.com 387
>     quizlet.com 392
>     whitehouse.gov 412
>     usda.gov 447
>     state.gov 448
>     epa.gov 489
>     noaa.gov 490
>     sciencedaily.com 491
>
> --
>     Viktor.
>
>