|
|
|
|
|
|
by geofft
2652 days ago
|
|
|
Mandatory CT does actually solve that: if a browser won't trust a cert without seeing it include a signed certificate timestamp from a trusted log, then the CA has to disclose certs, even if they're only targeting one user. But most people don't have e.g. Expect-CT set up, so it's not clear it would help on a majority of sites. (One reasonable option would be to require certs from DarkMatter, and really every CA going forward, to have SCTs in their certs, and enforce that with a flag in the root store. But if there's a concern about DarkMatter specifically, it's probably better to phrase a change to the root store policies that say "We won't accept CAs we just don't trust" instead of waiting for them to misbehave and then rescinding their membership.) |
|
|
Unless you can define the policies up front that's a very risky road to go down. Why refuse to trust DarkMatter, but not refuse to trust China Bank?