The number of people signing is utterly irrelevant. Nothing was ever secured by creating a digital signature, not once, not ever.
Only VERIFYING digital signatures provides security. And nobody knows what to do when DNSSEC validation fails so nobody really does it and nobody is likely to if people keep trying to apply 1990s thinking to 2020s problems.
What this means for NFTs is left as an exercise for the reader...
On the trust root issue. Alice should be the root of trust for Alice, Bob should be the root of trust for Bob. That is what I have been building. And with an application that secures data at rest without rendering it unusable.
What if Alice could register a lifelong callsign enrolled in an append only log which is ultimately notarized by every relying party?
@alice -> [key: <alice's root key>, service: @provider]
@provider -> [key: <provider root key>, DNS 10.10.10.10]
What is this, well we have roots of trust for Alice and her Mesh service provider. And her service provider publishes the authoritative zone alice.mesh from an alt.root DNS service at 10.10.10.10 and this is DNSSEC signed under a root key countersigned under <alice's root key> providing security policy information and the TLS certs are signed under a chain cross certified by <alice's root key>.
If six people here tell me they have read the drafts, I will add IPv6 to the testbed service when it goes live later this year.
If successful, this will disrupt the business model of every CA that does not have the foresight to become a Mesh Service Provider in which case the threshold approach I make use of will provide them with significant and more substantial new business opportunities.
The core concept of the callsign registry is that it is 'number portability for the Internet'. Alice owns @alice for life. The only time a callsign is ever reassigned without consent is when it is a trademark issue. I predicted the anti-trust storm and I have thought of a way out.
Of course the callsign registry will have to be public goods administered through a not for profit. Callsigns have to be sufficiently cheap to create that we can give everyone on the planet at least one. DNS names cost $10/yr. I want to make names available for $0.10 for life. At that price banks and health care providers will likely find it cheaper to by them on behalf of customers who haven't got one yet.
On Sat, Apr 10, 2021 at 4:50 PM Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote:
On Sat, Apr 10, 2021 at 12:59:34PM -0700, Michael Thomas wrote:
> Yeah, I was trying to verify whether google, amazon and facebook sign
> but it appears not? my dig fu is admittedly bad so I might be full of it
> (hopefully).
The largest US-based Internet companies have not yet signed their DNS
zones. The DNSSEC-signed domains among the top 500 Alexa-ranked sites
are:
europa.eu 53
nih.gov 62
paypal.com 81
cloudflare.com 91
chaturbate.com 115
cdc.gov 118
canva.com 158
stanford.edu 173
nasa.gov 198
force.com 201
time.com 208
salesforce.com 211
doi.org 235
foxnews.com 238
padlet.com 254
thestartmagazine.com 256
themeforest.net 258
debian.org 271
berkeley.edu 279
statcounter.com 285
addtoany.com 290
mediafire.com 309
taboola.com 313
ikea.com 321
loc.gov 331
pixabay.com 334
ietf.org 336
pki.goog 344
irs.gov 349
discord.com 354
fda.gov 375
avito.ru 385
hubspot.com 387
quizlet.com 392
whitehouse.gov 412
usda.gov 447
state.gov 448
epa.gov 489
noaa.gov 490
sciencedaily.com 491
--
Viktor.
