[Cryptography] The EFF 650 CAs lie
fw at deneb.enyo.de
Mon May 4 00:52:45 EDT 2020
> I think a major issue that makes detection hard is that we don't have
> reliable means of tracking worldwide certificate use.
There is, via Certificate Transparency, but those offer services need
to be bothered to actually check those resources for misissued
certificates. Determining whether a certificate is in fact misissued
can be quite hard for organizations of just moderate size.
> Who exactly will realize that the valid certificate for site X is
> being used by a server on the wrong IP?
Why would that be a problem? Surely this is not the failure mode for
the browser PKI.
More information about the cryptography