We should definitely talk more about those CAs and should totally have a way to force only certain CAs should be able to give out certs for a domain. Oh wait, it's called HPKP and it's being removed D:
HPKP was a bad standard - there’s no way it could be used safely at scale. There are just too many ways to accidentally screw up, and that’s before you start dealing with actual attackers.
CT allows you to detect misissuance - theoretically you could have a monitor service that watched all the logs for changes to your domains.
Longer term something (no opinion stated on exactly what) needs to be done to rectify the trust model for BGP and DNS
CT allows you to detect misissuance - theoretically you could have a monitor service that watched all the logs for changes to your domains.
Longer term something (no opinion stated on exactly what) needs to be done to rectify the trust model for BGP and DNS