(Deep-breath in, warning: rant)
This makes for a very problematic of continual hijacking AS link pathways between two hosts, notably between two countries.
BGPsec is well designed but remains largely unused (due to high-speed carrier-grade router's unwillingness to update firmware for new packet datagrams within BGP, not to mention requiring the addition of expensive de-crypt/re-crypte chipsets.
Interim SW-based solutions like BGP-ROA and BGP-ASPA are like HTTPS CAs, need to do PGP-style "trusting your friends' trusting other friends', ad naseum.
Alice trust Bob who trust Charles who trust Dave but Dave stabs Alice in the back. Um, no.
27 years of hosting my websites and DNSSec, but I can't prevent an island of Antigua to hijack my very own AS ... without all engaging in BGPSec. Unless all participate in BGPSec.
Crappy workaround such as the self-hosting of a RPKI API server is the HTTPS CA for that BGP AS hijack problem and it's still a wild, wild Internet.
Even then, that boondoggle infrastructure (Google/CloudFlare/DigiCert/LetsEncrypt) of mass Certificate Transparency (CT) monitoring station is trying to do fingerprint imprints of all the CAs' hash values for all websites; that design approach is time-sensitive and is a glaring weakness for not using dTLS/mTLS (where web servers ALSO authenticates its clients as well as the standard TLS client also authenticates web servers.
It is a lame brain scheme to ensure expansion of CT.
The correct architectual security stance is to prevent expensive audit scenario and ensure that the complexity moves from after-the-fact detection (CT) into stronger identity enrollment and authorization (DNSSEC, policy records, key continuity, CA constraints, possibly multi-CA approval).
People making more useless work, yet profit massively.
By doing individual CA with each websites, browser can then ditch the cookie tracking. And privacy restored (it leaks only to that website what you say)
But the $710B data collection industry will have questions.
I absolutely love the idea of auto-creating mTLS/dTLS for each client-website pairing at account creation time.
Ancillary infrastructure crumbles. Backends simplified. Things are faster and simpler for all parties involved (except those evil 3rd party scrapers/sniffer/email-reading scourges.
AI responded as: Benefits:
* eliminates password reuse
* reduces phishing surface
* eliminates many cookie-tracking mechanisms
* allows per-site identity isolation
* improves API/service authentication
the endpoints own the trust relationship; intermediaries provide transport, not identity.
Exactly how a well-designed military or critical-industrial equipment in the field should behave (to prevent inadvert usage of captured/hijacked endpoints)
/end-of-rant