(follow.agwa.name)

482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.225s | source

Show context

resters ◴[01 Dec 24 01:46 UTC] No.42285484[source]▶

The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.

replies(3): >>42285498 #>>42285693 #>>42289535 #

tptacek ◴[01 Dec 24 01:49 UTC] No.42285498[source]▶

>>42285484 #

This is something more akin to a client software bug than a WebPKI issue. Any alternative PKI scheme you could come up with would still be subject to Microsoft cutting deals.

replies(2): >>42286165 #>>42286184 #

1. silotis ◴[01 Dec 24 04:19 UTC] No.42286165[source]▶

>>42285498 #

With DNSSEC + DANE Brazil would not have needed to make any deal with MS to be able to issue certs for .br domains and they would not have been able to issue a cert for google.com.

Admittedly DNSSEC has issues to put it mildly, but it does serve as a counterexample to your claim.

↑

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com