Oddbean new post about | logout
matt | 9 months ago (raw) | root | parent | reply | flag 
 A hardware wallet or device wanting to query privately may want to get a proof that doesn’t require trusting a third party server or a long list of CAs.
Big Barry Bitcoin | 9 months ago (raw) | root | parent | reply | flag 
 I think what you're saying is that since DNS is distributed, you can get information without needing to make all the calls you'd typically need to:

1. DNS query to IP
2. Call to IP
3. Get certificate
4. Call to CA(s)
5. Etc.

Now you just find the nearest DNS record, check it is signed correctly, and the data is there.

If this isn't it, I will have to tip my hat and admit this went over my head. 🧢
matt | 9 months ago (raw) | root | parent | reply | flag 
 TLS you cannot provide a proof for (it’s asymmetric in the cert but used to derive symmetric keys, so you can forge a transcript). DNS is not, so like you say you can avoid all the complexity, and a totally untrusted device can provide a proof to a totally offline device (eg a hardware wallet).