|
|
|
|
|
|
by ethbro
2972 days ago
|
|
|
I'd be curious what would happen if the "too big to fail" issuers pushed back against this. Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option... In the broader sense, this is one downside of the shift towards Lets Encrypt and CAs being more interchangable: increased power of the root stores relative to them. Sometimes that's good, sometimes it's evil. |
|
|
In small-scale disputes MS (and other browser vendors) would not have to nuke an entire large CA to get their way. In principle they could just blacklist the individual certs/names, leaving the CA's other certs alone.
That ability/implied threat probably does mean that the CAs tend to comply with MS piracy/copyright-related revocation requests, because refusing to comply would piss off MS (and possibly law enforcement) without actually stopping them from getting their way by other means.