|
|
|
|
|
|
by simiones
1578 days ago
|
|
|
The certificate authority has no requirement to verify that they are emitting a certificate to a human person that has any legal right to the domain name they are obtaining the certificate for. All the PKI requires of CAs (for DV certs) is to ensure that the entity requesting a certificate has control of the domain name they are requesting the certificate for. That entity may very well be a server, not a person; and it may very well be malware that has infiltrated on Google's servers, requesting a certificate for google.com. It's not up to the CA to verify which it is, for DV certs. |
|
|