The trouble is that's only possible with the CA's cooperation, because they have... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nsgi on July 6, 2017 \| parent \| context \| favorite \| on: Wildcard Certificates Coming January 2018 The trouble is that's only possible with the CA's cooperation, because they have the ability to backdate the certificates by falsifying the date. In the case of WoSign Mozilla threatened to distrust them completely if they did that, but if it's unfeasible to remove a CA that threat may be ineffectual.

dublinben on July 6, 2017 [–]

This kind of forgery can be mitigated by requiring all certificates to be published to a Certificate Transparency server upon issuance. You can't backdate a public ledger that is being watched by third parties.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact