I'm not sure how you think Convergence is going to remove the central trust of DNS: If the attacker has control of your DNS records then every one of the notaries is going to go to the wrong IP address to check the certificate and they'll all see the same (wrong) one.

Convergence also requires client support on all the clients before you can stop using CA-signed certificates, which isn't going to happen quickly. A CA (or someone who bought an intermediary CA certificate from an existing CA) could set up the thing I described in a matter of hours and henceforth anybody who needs a domain validated TLS certificate could get one instantly, securely and for free by just adding a DNS record and visiting that website.

> Clients that use Convergence are effectively CA free from the moment they install it. The others can follow incrementally.

In other words, the servers have to keep using CA certificates for however many years it takes for the rest of the clients to "follow incrementally." Hence what I'm proposing.

> Notary requests use TLS too: If an attacker redirects my requests to other (untrusted) notaries my client will complain because it has the (self-signed) certs of the notaries cached. I can buy two or more servers in different counties, install the notary server on them, copy&paste the cert of the notaries in my client, and from that moment on Convergence works and my TLS connections are secure.

You misunderstand. The problem is not for the client when the attacker controls a DNS resolver, the problem is for everybody when the attacker controls a DNS TLD. You're trying to verify the certificate for democracy.cn which is supposed to resolve to 1.2.3.4, but China changes its DNS record so that it points to 6.7.8.9 which is the Chinese government's MITM server. Now you go out and ask ten thousand notaries, what's the certificate for democracy.cn? They all resolve it to 6.7.8.9, get the attacker's certificate from China's MITM server and tell you they all saw the same certificate. But it's the attacker's certificate.

The existing CA system doesn't solve this. The attacker that can control a TLD is the sort that can control a CA. But you're claiming Convergence would fix it, which is a misunderstanding of what Convergence does. Convergence is solving an entirely different problem.

The thing that (mostly) fixes it is certificate pinning. It doesn't fix it if the attacker starts the attack as soon as the server is put online (which is about a thousand times harder for the attacker to do than the status quo), and I'm not actually sure how they deal with certificates legitimately changing over time, but certificate pinning really does go a long way to preventing any central authority from being able to MITM arbitrary connections.

I see your confusion because Moxie Marlinspike is the one advocating both certificate pinning (i.e. Tack) and Convergence and you can use them together. But there is no technical reason you couldn't also use certificate pinning in combination with DNSSEC. Or use all three together, essentially using the DNSSEC signed certificate as an additional notary.

The existence of Convergence as something cool we should all be using ten years from now doesn't mean we don't still need transitional measures in the meantime. Moxie is playing the long game. If you want to do something today then you need to somehow deal with all the clients that don't support it yet.

> You misunderstand.

Yes I did. Thanks for clarifying.

> The existing CA system doesn't solve this.

So that's why Moxie is pushing for TACK. Now I understand how all works together.

> The attacker that can control a TLD is the sort that can control a CA. But you're claiming Convergence would fix it.

No I don't. I didn't even think about that scenario.

Thanks for the discussion. HN is awesome.