(follow.agwa.name)

482 points sanqui | 3 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source

Show context

cjalmeida ◴[01 Dec 24 01:32 UTC] No.42285429[source]▶

It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…

replies(2): >>42285683 #>>42286883 #

layer8 ◴[01 Dec 24 02:33 UTC] No.42285683[source]▶

>>42285429 #

Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.

replies(3): >>42285783 #>>42285825 #>>42292286 #

1. lxgr ◴[01 Dec 24 03:04 UTC] No.42285825[source]▶

>>42285683 #

The problem here isn't really that one mis-issued certificate, but rather the general problematic behavior of that CA reported in TFA.

If a CA can be convinced to issue a server certificate for google.com, would you feel very comfortable trusting their contract/deed/... signing certificates?

replies(1): >>42287529 #

2. Muromec ◴[01 Dec 24 10:21 UTC] No.42287529[source]▶

>>42285825 (TP) #

If the government says you need to use their CA, you may feel the feelings, but you will still use them

replies(1): >>42298170 #

3. KetoManx64 ◴[02 Dec 24 17:14 UTC] No.42298170[source]▶

>>42287529 #

What would stop me from purging all this CA's certificates from my computet?

↑

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com