[lesserknowndan]

The real problem with this is that such a CA can issue a certificate for a domain like google.com that it has no right to issue and the browser will assume that it can safely connect to a server using that certificate.

This would allow EU governments - such as Turkey - to easily man-in-the-middle people’s web connections to such services.

Now while Chrome can try and determine whether or not the certificate is valid for google.com, it would be harder to do for lesser known sites.

I can foresee yet another DNS record that informs what CAs should be expected to secure domains within a DNS zone.

[lesserknowndan]

Haha. It seems there is a DNS record for exactly this. See linked article for good discussion: https://www.devever.net/~hl/acme-caa-live

[ThePowerOfFuet]

> This would allow EU governments - such as Turkey - to easily man-in-the-middle people’s web connections to such services.

Turkey is not an EU member state, and at this point membership is not looking likely for the next 15 or 20 years.

Hungary, on the other hand, is — but I am not sure Orbán would try such a stunt given what would follow.

[lesserknowndan]

Sorry, forgot for a moment which timeline I’m in.