(follow.agwa.name)

482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.326s | source

Show context

cjalmeida ◴[01 Dec 24 01:32 UTC] No.42285429[source]▶

It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…

replies(2): >>42285683 #>>42286883 #

layer8 ◴[01 Dec 24 02:33 UTC] No.42285683[source]▶

>>42285429 #

Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.

replies(3): >>42285783 #>>42285825 #>>42292286 #

perching_aix ◴[01 Dec 24 02:53 UTC] No.42285783[source]▶

>>42285683 #

I think the current "meta" is CAA records? https://blog.cloudflare.com/why-certificate-pinning-is-outda...

replies(2): >>42285927 #>>42292557 #

syncsynchalt ◴[02 Dec 24 02:31 UTC] No.42292557[source]▶

>>42285783 #

CAA records rely on the CAs to respect them, and this is an article about how a CA has issued a cert in violation of a CAA record.

replies(1): >>42292602 #

1. perching_aix ◴[02 Dec 24 02:41 UTC] No.42292602[source]▶

>>42292557 #

Oh right, for some reason I was under the impression that browsers utilize the record too.

↑

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com