[layer8]

Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.

[lxgr]

The problem here isn't really that one mis-issued certificate, but rather the general problematic behavior of that CA reported in TFA.

If a CA can be convinced to issue a server certificate for google.com, would you feel very comfortable trusting their contract/deed/... signing certificates?

[Muromec]

If the government says you need to use their CA, you may feel the feelings, but you will still use them

[KetoManx64]

What would stop me from purging all this CA's certificates from my computet?

[perching_aix]

I think the current "meta" is CAA records? https://blog.cloudflare.com/why-certificate-pinning-is-outda...

[syncsynchalt]

CAA records rely on the CAs to respect them, and this is an article about how a CA has issued a cert in violation of a CAA record.

[perching_aix]

Oh right, for some reason I was under the impression that browsers utilize the record too.

[8organicbits]

Correct, which Google is using:

https://www.nslookup.io/domains/google.com/dns-records/caa/

[bawolff]

Just need to DoS the revocation server right before your digital signature is checked.