Maybe a noob question: Why SSL/TLS certs are not decentralized? Is it not possible to set public key in DNS TXT record and have private key on the server. Would that not solve encryption? Why do we need SSL / TLS certs from a CA like LetsEncrypt?
What you're talking about exists: it's called DANE: <a href="https://en.m.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/DNS-based_Authentication_of_...</a>
It’s not a trivial problem to solve.<p>See Zooko’s triangle: <a href="https://en.wikipedia.org/wiki/Zooko%27s_triangle" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Zooko%27s_triangle</a> and <a href="https://web.archive.org/web/20011020191610/http://zooko.com/distnames.html" rel="nofollow noreferrer">https://web.archive.org/web/20011020191610/http://zooko.com/...</a>
Simple: the financial interests of huge corporations like DigiCert.<p>They sit in standards bodies that could fill their moat and undermine every open effort.<p>It’s insidious and there’s not much anyone with less than a billions dollars of interest in the matter can do about it.<p>Maybe a government or mega corp like Google will fix it, but I’m not holding my breath…
Why not use public key as IP.
Like yggdrasil-go, use `public_key.sha256.first_63_bit === ipv6[1..64]` (maybe some data error but here is how it works).
Well, yggdrasil is an overlay network, it can do that. But the ISP network cann't.
Maybe we all should move to an overlay network.
1. An txt record adds more time to the request, since you can't start the request before opening an tls connection.
2. The browser has to go through all the TXT records. My domains already have 4-5 TXT records.
3. The dns is still pretty much insecure. Dnssec is still not always available
Popular browsers are controlled by so-called "tech" companies that sell advertisiing services and seek to profit from online purchases.<p>These so-called "tech" companies exert oversized control over the CA scheme.<p>Pure coincidence.