Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, but it doesn't check whether that guy on the other side is who he says he is, it only checks whether that domain on the other side is what it appears to be (registered via ICANN-approved registrar to "that guy"). DKIM relies on DNS. It checks on domains, not people. You have no reliable assurance from DKIM of who is actually controlling that domain. It might not be "that guy" but someone else. DNS is not without its vulnerablities (including social engineering). Any security mechanism based on DNS is only as "secure" as DNS, which isn't very.


I mean you're technically not wrong, but how do you confirm ownership of an identity?

At some point you have to "trust a system". Block Chain, Social Security ID, Drivers License, Passport, even DNS are all susceptible to some form of attack vector.

I could do a DNA test to verify you, provided I did one before.

> is only as "secure" as DNS, which isn't very

I'd argue DNS itself is quite secure. It has lots of issues, but it's so widely used those issues are known and mitigated for. DNS as a system receives an insane amount of attacks. There's just too much money involved for people not to pay attention for attackers and defenders.

I will agree that your DNS isn't secure. It's analogous to saying your Gmail isn't secure, but Gmail itself is just fine.


Well, Estonia has id-card, which in addition to ordinary id card functionality also provides PKI.

If I remember correctly, they rolled out PKI ~2005ish. It has done wonders for them. https://e-estonia.com/solutions/e-identity/id-card/ https://en.wikipedia.org/wiki/Estonian_identity_card


Which the EU is debating making an equivalent European wide version mandatory, and requiring websites/private companies adopt and use it (via SAML; instead of username/passwords or things like OAuth/OpenID Connect). In this vision, any online interaction that would require an identity would minimally be required to accept your European identity, and may be prohibited (via GDPR or DSA) from offering other forms of sign-in.

Read the Roadmap at https://ec.europa.eu/info/law/better-regulation/have-your-sa... and comment on the Public Consultation if you have feelings about that.

Explicitly part of the goal is either a pan-European ID card or requiring every Member State to adopt one. Currently, MS aren’t required to. When the UK was in the EU, the idea of a digital ID that could be used by the government to track all of your activities online was... not popular. However, despite Brexit, the idea is being reintroduced, this time to “fight coronavirus”. https://www.bbc.com/news/uk-politics-54010432


Technically the institution owning the domain could forge the identity of one of its members. In practice, the sender having the password and Duo push for an institutional AD or G Suite account is a pretty good assurance.


This is the same arguments for DNS based TLS certificates, and here we are, with good HTTPS connections that we can trust albeit the awful CA system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: