[messaging] The Trouble with Certificate Transparency

[Tao Effect]

Hi Emre,

> @Greg: Is a similar case valid for DNSchain when DNS queries are
> blocked/manipulated or just a few pre-defined DNS servers are allowed to
> be used?

Those are two questions, so I'll answer them separately:

> Is a similar case valid for DNSchain when DNS queries are blocked/manipulated

DNS queries cannot be manipulated (meaning there is nothing that allows them to be, technically speaking).

To prevent queries from being manipulated, you can use existing software like DNSCrypt, and combine it with DNSChain (this is what a couple of servers currently do).

Alternatively, if DNSCrypt isn't used, and queries are sent in the clear, then an extra record can be sent along with them (one of the DNSSEC records, RSIG I think) that can be used to verify the correctness of the response.

As far as them being blocked... well, I think that's the same as your other question (feel free to clarify if I'm misunderstanding you):

> or just a few pre-defined DNS servers are allowed to be used?

DNSChain (and any system) only works if you can get your data from someone or something that you have reason to trust.

If you connection is 100% censored, nothing will help you (except to take a trip outside of North Korea).

Thanks for the questions!

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140926/097d8184/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140926/097d8184/attachment.sig>