A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

Symantec have at least acknowledged that this is a problem.

https://www.symantec.com/connect/blogs/third-party-revocation-updates

... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.

@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.

So we know the goal... Like DNS, finding a proper solution is still a WIP :)

@cwebber @natecull Much like Congress voting themselves a pay-cut I'm pretty sure no CA in their right mind is going to take disbanding their cartel lightly.

@craigmaloney @natecull Well I think you want to design a system where the CA doesn't have to opt-in to it :)

@cwebber @natecull Unfortunately I think it's easier to notarize a business than a person. Businesses have paper-trails and a general covenant with the state and federal governments that they're not up to any shenanigans.

That said, even businesses can be deceitful and the only legal recourse is to dissolve the ability for that business to exist in the legal sense.

The CAs take some of the legal responsibility for determining legitimacy, but ultimately they're just as fallable