←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.202s | source
Show context
MattPalmer1086 ◴[01 Dec 24 10:35 UTC] No.42287582[source]
Things like this make me wonder why certificates are not also signed by the certificate owner.

Right now, a CA can issue a certificate for any public key and domain they like. A rogue trusted CA can intercept all traffic.

If a certificate also included a signature by the owner of the public key signed by the CA (using their private key, signed over the CA signature), then a CA would no longer have this ability.

What am I missing?

replies(3): >>42287627 #>>42287710 #>>42292346 #
1. bawolff ◴[02 Dec 24 01:51 UTC] No.42292346[source]
The entire point of a CA is to verify public keys. If the certificate owner already has a verified public key (to sign the certificate with), there would be no need for a CA.