(words.filippo.io)

160 points Metalnem | 1 comments | 07 Jul 25 20:36 UTC | HN request time: 0.252s | source

Show context

tonymet ◴[07 Jul 25 21:24 UTC] No.44494808[source]▶

Is any amateur or professional auditing done on the CA system? Something akin to amateur radio auditing?

Consumers and publishers take certificates and certs for granted. I see many broken certs, or brands using the wrong certs and domains for their services.

SSL/TLS has done well to prevent eavesdropping, but it hasn't done well to establish trust and identity.

replies(4): >>44494951 #>>44494961 #>>44496524 #>>44497149 #

dlgeek ◴[08 Jul 25 04:45 UTC] No.44497149[source]▶

>>44494808 #

Yes. All CAs trusted by browsers have to go through WebTRUST or ETSI audits by accredited auditors.

See https://www.mozilla.org/en-US/about/governance/policies/secu... and https://www.ccadb.org/auditors and https://www.ccadb.org/policy#51-audit-statement-content

replies(2): >>44497273 #>>44503762 #

1. tonymet ◴[08 Jul 25 20:25 UTC] No.44503762[source]▶

>>44497149 #

that's good news about the CA's , but how about the publisher certificates that are in use?

↑

Running a Certificate Transparency log