Hacker News new | past | comments | ask | show | jobs | submit login

They would be killing the CA by doing this, since all certs have to be publicly logged in order to be trusted by Chrome or Safari: https://en.wikipedia.org/wiki/Certificate_Transparency

If a minor CA suddenly issued a cert for, say, mail.google.com, they'd be distrusted by every browser/OS within days. If a government made a habit of doing this, there'd soon be no trusted CAs in their jurisdiction.

The US probably has the best chance of getting away with this since they also have all the major OS/browser vendors in their jurisdiction. But if Mozilla/Apple/Microsoft/Google all mysteriously decided not to distrust a CA that was issuing bogus certs for high-profile sites, it would be pretty conspicuous.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: