| ▲ | theamk 4 hours ago | |
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example. And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party. If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country? [0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov... | ||
| ▲ | JumpCrisscross 2 hours ago | parent | next [-] | |
Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1]. I didn’t realize the slapped their face on the pavement right after being acquired. | ||
| ▲ | 2 hours ago | parent | prev [-] | |
| [deleted] | ||