| ▲ | bandrami a day ago | |||||||
Phishers also got EV certs. The big problem with PKI is that there are known bad (or at least sketchy) actors on the big CA lists that realistically can't be taken off that list. | ||||||||
| ▲ | solatic a day ago | parent | next [-] | |||||||
How big of a problem is it really, with CAA records and FIDO2 or passkeys? CAA makes sure only one CA signs the cert for the real domain. FIDO2 prevents phising on a similar-looking domain. EV would force a phisher to get a similar-looking corporate name, but it's beside the main FIDO2 protection. | ||||||||
| ▲ | akerl_ a day ago | parent | prev [-] | |||||||
What's an example? We're in an era where browsers have forced certificate transparency and removed major vendor CAs when they've issued certificates in violation of the browsers' requirements. The concern about bad/sketchy CAs in the list feels dated. | ||||||||
| ||||||||