[Cryptography] The EFF 650 CAs lie

[Florian Weimer]

* Natanael:

> I think a major issue that makes detection hard is that we don't have
> reliable means of tracking worldwide certificate use.

There is, via Certificate Transparency, but those offer services need
to be bothered to actually check those resources for misissued
certificates.  Determining whether a certificate is in fact misissued
can be quite hard for organizations of just moderate size.

> Who exactly will realize that the valid certificate for site X is
> being used by a server on the wrong IP?

Why would that be a problem?  Surely this is not the failure mode for
the browser PKI.