re: security questions
@lunahave you thought about using TLS client certificates for authenticating to remote servers instead of a homebrew auth protocol?i think that as an authr/n protocol, OIDC has lots of advantages in terms of how familiar users are with it, and how very versatile it is inherently.
But no, I have not thought about it yet :3
About DNSSEC: I have just read a blogpost by Cloudflare about it, and this sounds very funny:
In the Root Signing Ceremony, several selected individuals from around the world come together and sign the root DNSKEY RRset in a very public and highly audited way. The ceremony produces an RRSIG record that can be used to verify the root name server’s public KSK and ZSK. Instead of trusting the public KSK because of the parent’s DS record, we assume that it’s valid because we trust the security procedures around accessing the private KSK.I guess my thought process here is: "If this is ok for the entire internet to use, then I think it should be okay for me as well". And, regardless:
- Unencrypted communications are, by design, not private enough to be used in a scenario where security is of a large concern
- Encrypted communications lean in clear-text metadata and encrypted in ways that explicitly exclude the relaying server from the circle of trust already mitigate the consequences of a potential PITM (puppy-in-the-middle) attack to a good extent. Encrypted communications over polyproto will follow such a design
,,,what's ur verdict on this