[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

Andrew Lee andrew at joseon.com
Thu Apr 24 15:49:04 EDT 2025 

On Apr 24, 2025, at 3:01 AM, Michael Kjörling <9bf3a7ef93bb at ewoof.net> wrote:
> 
> All other issues with blockchain technology aside, in what way does
> DNS CAA RRs (which restrict the set of CAs authorized to issue
> certificates for a given host name) solve the same problem as using a
> horrendously energy-intensive, storage- and bandwidth-hungry
> technology such as proof of work blockchain to distribute trust
> anchors for host names (and for DNSSEC no less)?
> 
> 

The CAA RR doesn’t do much since DNS can have a number of actors in control along the pipeline. In a simple attack, as many have aptly noted, if you connect to someone’s hotspot, they can run whatever they want for dns and routing including but not limited to the capture and reroute of any non-crypto enhanced dns requests to their own servers as well. In a more advanced attack, you can get control of some DNS registrar or even infiltrate and become an employee of said registrar.  

Blockchain, for all its "horrendously energy-intensive, storage and bandwidth hungry” resource usages, guarantees that the resource records are in fact those desired by the holder(s) of the private key of said name.

Even with DNSSEC, to be clear, there are still other actors who can do things (who controls your tld, not you right?).

By moving this last root level of trust to a consensus blockchain, you get true p2p authentication with no outside actors in the provenance of verification/chain of trust.

No actors means no theater (which is what is there now as proven by the number of cataclysmic events that have occurred as a result of the known vulnerabilities of the CA architecture).

Energy, storage and minimal bandwidth is a tiny price to pay for that.


> There is no _single_ to the TLS PKI ecosystem. As I mentioned in an
> earlier email in this thread to which you replied, there are even
> multiple (though, admittedly, few) independently maintained lists of
> root CAs.

All that aside, it doesn’t matter because the official "X.509” certificate system allows a single signing validator and for this reason they decided to do this centralized validator CA system.

If you look at GPG/PGP+WoT you can have a number of signers(validators).


Anyway, it is what it is. The force is strong in the CAbal and with enough layers built on top of a system, a system becomes permanent ever so easily without as one mentioned earlier in the thread, a cataclysmic event.


- Andrew

More information about the cryptography mailing list