A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
Symantec have at least acknowledged that this is a problem.
https://www.symantec.com/connect/blogs/third-party-revocation-updates
... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.
@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.
So we know the goal... Like DNS, finding a proper solution is still a WIP :)
@craigmaloney @natecull Well I think you want to design a system where the CA doesn't have to opt-in to it :)
@cwebber @natecull Unfortunately I think it's easier to notarize a business than a person. Businesses have paper-trails and a general covenant with the state and federal governments that they're not up to any shenanigans.
That said, even businesses can be deceitful and the only legal recourse is to dissolve the ability for that business to exist in the legal sense.
The CAs take some of the legal responsibility for determining legitimacy, but ultimately they're just as fallable
@craigmaloney @cwebber Looking at what's happening right now with Snopes - a fact-checking site on the front-line of global politics/war being torn apart over site ownership questions by a divorce between its owners - it's worth realising that today, on the Internet, the personal is commercial is political is military.
And it all revolves around the question of asserting and proving identity and proof of trust paths for knowledge.
Should mak a good movie.
