[dnet]

I made my own CA for this because nothing else could provide transparency regarding certificate issuance (whether an attacker issued a "spare" backdoor certificate)

- source code: https://github.com/silentsignal/zsca

- my talk about the design and results: https://pretalx.hsbp.org/camppp7e5/talk/D3E9HN/