> No, real security is achieved by mathematical / cryptographic impossibility.
You can't do trust that way. It's an entirely human concept for which we use cryptography for it to scale better.
> That doesn't matter at all
Says you? Again. You're ignoring half of the rationale behind CT (which I will *not* be rephrasing here, it's freely available to read).
> What a good argument.
It is. Unless you can actually show a working DNSSEC transparency standard, it doesn't exist. Some hypothetical future feature to remedy flaws is *really* not a strong argument towards DNSSEC.
> Well, if I'm wrong why don't you tell me why I'm wrong? How is that an argument?
There's no argument, just your opinion. It's starting to become funny how vague this discussion is becoming with you avoiding providing anything of substance that could be properly refuted.
> In DNSSEC+DANE they could only attack their own TLDs.
Huh? They'd attack any of the myriad of registries, just like they could attack CA's. It's just that CA's are held to a much higher standard and supervision. You can't just ignore that part.
> In DNSSEC+DANE governments can't compromise CAs, because they wouldn't exist.
This is just nominative pedantry, they're functionally still trust authorities that can be compromised. Call them CAs or Key-As, it doesn't matter.
> Well, if you think it's FUD, are you going to actually provide valid technical arguments about why it's FUD
It's very asymmetric effort for me to counter non-technical opinions and hypotheticals with technical ones. Not very fair towards my time and I'm not going to.
> completely miss the points I was making and then accuse me of FUD?
You're the one calling it "insecure WebPKI" while dismissing everything wrong with DNSSEC, so it's not even an accusation, it's an astute observation.
You can't do trust that way. It's an entirely human concept for which we use cryptography for it to scale better.
> That doesn't matter at all
Says you? Again. You're ignoring half of the rationale behind CT (which I will *not* be rephrasing here, it's freely available to read).
> What a good argument.
It is. Unless you can actually show a working DNSSEC transparency standard, it doesn't exist. Some hypothetical future feature to remedy flaws is *really* not a strong argument towards DNSSEC.
> Well, if I'm wrong why don't you tell me why I'm wrong? How is that an argument?
There's no argument, just your opinion. It's starting to become funny how vague this discussion is becoming with you avoiding providing anything of substance that could be properly refuted.
> In DNSSEC+DANE they could only attack their own TLDs.
Huh? They'd attack any of the myriad of registries, just like they could attack CA's. It's just that CA's are held to a much higher standard and supervision. You can't just ignore that part.
> In DNSSEC+DANE governments can't compromise CAs, because they wouldn't exist.
This is just nominative pedantry, they're functionally still trust authorities that can be compromised. Call them CAs or Key-As, it doesn't matter.
> Well, if you think it's FUD, are you going to actually provide valid technical arguments about why it's FUD
It's very asymmetric effort for me to counter non-technical opinions and hypotheticals with technical ones. Not very fair towards my time and I'm not going to.
> completely miss the points I was making and then accuse me of FUD?
You're the one calling it "insecure WebPKI" while dismissing everything wrong with DNSSEC, so it's not even an accusation, it's an astute observation.