2 Dec
2022
2 Dec
'22
3:58 p.m.
On Fri, 2 Dec 2022 15:43:04 +1300, Peter Reutemann quoted:
'"Certificate Authorities have highly trusted roles in the internet ecosystem ...'
The main problem is that, once a browser trusts a CA, it is effectively allowed to provide a certificate for *any* domain (even though it might not be supposed to). There have been rogue CAs in the past, providing forged certs for particular domains, or selling such certs to companies to allow them to snoop on encrypted traffic to those domains. I thought work was being done to restrict the scope of the domains for which a CA could provide certificates (e.g. just to particular TLDs, or just the TLD for one country), which would limit the damage that they can do. Seems this hasn’t happened yet.