QC breaks perfect forward secrecy schemes using non-PQC algorithms, same as for non-PFS. PFS schemes typically use single-use ephemeral DH/ECDH key pairs for symmetric key exchange, separate from the long-term signing keys for authentication.
So we're worried about cops violating civil liberties by not getting a warrant, but we'd rather they go harass random (potentially innocent) civilians to do investigations?
Huh? They really don't. It's actually kind of unfortunate that browsers don't have uniform policies about what certificates they accept, but for obvious reasons each browser wants to make their own decision.
They do have uniform policies, those policies come from the aforementioned CA/Browser Forum, which has been issuing its Baseline Requirements for over a decade.
The fact that it's 2026 and the CAs are only now getting around to requiring any CA to take DNSSEC, which has in its current form been operational for well over a decade, makes you take DNSSEC more seriously?
LetsEncrypt has been checking for DNSSEC since they launched 10+ years ago.
The ACME standard recommends ACME-based CAs use DNSSEC for validation, section 11.2 [1]:
An ACME-based CA will often need to make DNS queries, e.g., to
validate control of DNS names. Because the security of such
validations ultimately depends on the authenticity of DNS data, every
possible precaution should be taken to secure DNS queries done by the
CA. Therefore, it is RECOMMENDED that ACME-based CAs make all DNS
queries via DNSSEC-validating stub or recursive resolvers. This
provides additional protection to domains that choose to make use of
DNSSEC.
An ACME-based CA must only use a resolver if it trusts the resolver
and every component of the network route by which it is accessed.
Therefore, it is RECOMMENDED that ACME-based CAs operate their own
DNSSEC-validating resolvers within their trusted network and use
these resolvers both for CAA record lookups and all record lookups in
furtherance of a challenge scheme (A, AAAA, TXT, etc.).
Yes, that's my understanding as well. You'll notice my top-level comment from a few hours ago says that as well.
(You edited your comment to include more detail about when LE started validating DNSSEC; all I know is that it's been many years that they've been doing it.)
Why dodge the question? Clearly they care today, and I live in today.
If we're doing to defer to industry, does only the opinion of website operators matter, or do browsers and CAs matter too? Browsers and CAs tend to be pretty important and staff big security teams too.
Barely 5% of the internet have DNSSEC signed zones and a big chunk of that are handled by CDN's that do the signing automagically for the domain owner as they also host SOA DNS. Mandating DNSSEC would require years of planning and warning those that have not yet set it up and in my opinion DNSSEC tooling should become a better first class citizen in all of the authoritative DNS daemons. as in there should be so many levels of error handling and validation that it would be next to impossible for anyone to break their zones.
So do we wait for all the stragglers? Wait for the top 500 or top 2500 to make it mandatory? Who takes financial responsibility for those that fell through the cracks?
No CA requires DNSSEC. Obviously they can't: almost nothing is signed. The only change "today" is that technically CAs are now required to honor DNSSEC, where they weren't before.
I think the fact they don't require it shows it's moribund. If cert providers (or google with their big stick of chrome) specified it is required to have DNSSEC to get a certificate, everyone would jump in line and set it up because there'd be no other choice.
I agree that not checking it all is an even worse signal. I'm just saying the fact that this is officially enforced only in 2026 is itself a bad signal. At any rate, the CAs you'd have worked with were enforcing DNSSEC this whole time.
I agree that it's relatively easy for CAs to validate DNSSEC. I think the fact that they weren't technically required to, despite the sole remaining use case for DNSSEC being to protect against misissuance, is a pretty strong indicator of how cooked DNSSEC is.
Is massive capital expenditure not also required to enforce the GPL? If some company steals your GPLed code and doesn't follow the license, you will have to sue them and somebody will have to pay the lawyers.
> Is massive capital expenditure not also required to enforce the GPL?
It's nowhere near the order of magnitude of the kind of spending they're sinking into LLM's. The FSF and other groups were reasonably successful at enforcing the GPL, operating on a budget 1000's of times smaller than that of AI companies.
Right but LLM companies are building frontier models with frontier talent while trying to sock up demand with a loss leader strategy, on top of an historic infrastructure build out.
Being able to coat efficiently run frontier models is i think, not a high priced endeavor for an org (compared to an individual).
IMO the proposition is little fishy, but its not totally without merit and imo deserves investigation. If we are all worried about our jobs, even via building custom for sale software, there is likely something there that may obviate the need at least for end user applications. Again, im deeply skeptical, but it is interesting.
> Being able to coat efficiently run frontier models is i think, not a high priced endeavor for an org
Running proprietary model would make you subject to whatever ToS the LLM companies choose on a particular day, and what you can produce with them, which circles back to the raison d'etre for the GPL and GNU.
Until all software copyright is dead and buried, there is no need for copyleft to change tack. Otherwise there rising tide may rise high enough to drown GPL, but not proprietary software.
Open source is easier to counterfeit/license-launder/re-implement using LLMs because source code is much lower-hanging fruit, and is understood by more people than closed-source assembly.
No, the real law is what's written by the Tampa/Florida legislature (or I guess you could say the "real real" law is judges' interpretations of what is written). While it may be inconvenient, if you are falsely issued a ticket while following the real law you can have the ticket thrown out.
I don't know for sure because I don't live in Tampa, but it is generally free (minus the opportunity cost of your time) for these types of tickets, no lawyer or other expense required.
How would you find a government entity? This is just moving money from one government budget to another.
The USPS is like this because of the persistent belief that it's not enough for government entities (think USPS, Amtrak, etc) to provide a good service for the citizens - they must also (try to) turn a profit.
If we as a society considered it acceptable for the USPS to spend money to ensure everyone in the US had mail access without selling out to corporations to turn a profit, they wouldn't need to have products like EDDM blasting spam to entire zip codes.
The whole governmental agencies should be profit seeking businesses needs to died ignobly in a ditch. The reason we pay taxes is so that we don't have to handle the logistics of running the thing we pay for.
If you want to adopt this in your project, you can add a linter that explicitly bans innerHTML (and then go fix the issues it finds). Obviously Mozilla cannot magically fix the code of every website on the web but the tools exist for _your_ website.
Not them but the formatting screams LLM to me. Random "bolding" (rendered on this website as blue text) of phrases, the heading layout, the lists at the end (bullet point followed by bolded text), common repeats of LLM-isms like "A. Not B". None of these alone prove it but combined they provide strong evidence.
While I wouldn't go so far as to say the post is entirely made up (it's possible the underlying story is true) - I would say that it's very likely that OP used an LLM to edit/write the post.
reply