Comment by justcommenting
11 years ago
agree completely and it's worth noting that i don't have a solution to the issues i mentioned, either.
leveraging other (potentially-insecure) paths to establish trust might help further enhance confidence in authenticity; e.g. verification using something like the broad-based strategy of moxie's perspectives (except via plaintext) or maybe through additional verification of plaintext on the site as fetched via tor or retrieving a cached copy of the site securely from the internet archive or search engines.
dvsni and multipath testing sound quite interesting, and i think defense in depth is the right approach.
having been at akamai's recent edge conference, i didn't hear much from them on this. does anyone have any additional details of their interest in the project?
It was quiet, and indeed uncertain, at that point. For myself, I'm extremely excited about the "Let's Encrypt" project's opportunities for experimentation: bringing the marginal cost of certificates to zero should have great effects on Web and Mail services, but should also have something to say about S/MIME and other client-cert uses.
Akamai published a blog post about their role: https://blogs.akamai.com/2014/11/lets-encrypt-boosts-push-fr...
That problem does have a straightforward solution.
Publish your TLSA records. Sign your zone. Done.