[Cryptography] The EFF 650 CAs lie

Florian Weimer fw at deneb.enyo.de
Mon May 4 00:52:45 EDT 2020

* Natanael:

> I think a major issue that makes detection hard is that we don't have
> reliable means of tracking worldwide certificate use.

There is, via Certificate Transparency, but those offer services need
to be bothered to actually check those resources for misissued
certificates.  Determining whether a certificate is in fact misissued
can be quite hard for organizations of just moderate size.

> Who exactly will realize that the valid certificate for site X is
> being used by a server on the wrong IP?

Why would that be a problem?  Surely this is not the failure mode for
the browser PKI.

More information about the cryptography mailing list