|
|
|
|
|
|
by engendered
4131 days ago
|
|
|
Users don't react well to such warnings, but on the software side there is the emergent concept of certificate pinning -- Chrome, for instance, reports to the mothership if an unexpected CA is found to have generated a Google certificate (it simply flags on an unexpected certificate, though usually that means an untrusted CA). Not sure about the scalability of the solution, but ultimately domains should be able to securely delegate authoritative CAs. https://www.imperialviolet.org/2011/05/04/pinning.html However then you get to the same market issue that allowed the whole Superfish and related debacles -- Enterprises require the ability to self-CA everyone else given that they demand the right to MITM. |
|
|