That still doesn't address the issue that when you blacklist a certificate authority, you're hurting not only the CA, but all the people who got legitimate certificates from them in the past and their partners.
Maybe we should handle the fact that CAs simply aren't trustworthy by having everyone have certificates from at least 3 separate chains of trust and have to present at least two of them to be considered authenticated. I wonder if the protocol allows for that.
Then not only would these fraudulent Google certificates not work, but revocation of the CA's valid certificates wouldn't hurt much either (other than the issuer, who would have to give refunds).
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds