upvote

points

by account424 hours ago |
comments
upvoteby theamk4 hours ago|
[-]
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.

And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.

If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?

[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...

reply
upvoteby Fnoord3 minutes ago|
parent|
next
[-]
[delayed]
reply
upvoteby JumpCrisscross2 hours ago|
parent|
prev|
next
[-]
Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].

I didn’t realize the slapped their face on the pavement right after being acquired.

[1] https://en.wikipedia.org/wiki/DigiNotar

reply
upvoteby 2 hours ago|
parent|
prev|
[-]
deleted
reply