Fraudulent certificates in the wild — again
Posted Jan 6, 2013 19:53 UTC (Sun) by giraffedata
In reply to: Fraudulent certificates in the wild — again
Parent article: Fraudulent certificates in the wild — again
That still doesn't address the issue that when you blacklist a certificate authority, you're hurting not only the CA, but all the people who got legitimate certificates from them in the past and their partners.
Maybe we should handle the fact that CAs simply aren't trustworthy by having everyone have certificates from at least 3 separate chains of trust and have to present at least two of them to be considered authenticated. I wonder if the protocol allows for that.
Then not only would these fraudulent Google certificates not work, but revocation of the CA's valid certificates wouldn't hurt much either (other than the issuer, who would have to give refunds).
to post comments)