top | item 42285429

(no title)

It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…

discuss

justinclift|1 year ago

So you're saying it's only a matter of time until they issue a cert for x.com as well? :)

layer8|1 year ago

Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.

lxgr|1 year ago

The problem here isn't really that one mis-issued certificate, but rather the general problematic behavior of that CA reported in TFA.

If a CA can be convinced to issue a server certificate for google.com, would you feel very comfortable trusting their contract/deed/... signing certificates?

perching_aix|1 year ago

I think the current "meta" is CAA records? https://blog.cloudflare.com/why-certificate-pinning-is-outda...

bawolff|1 year ago

Just need to DoS the revocation server right before your digital signature is checked.