A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
Symantec have at least acknowledged that this is a problem.
https://www.symantec.com/connect/blogs/third-party-revocation-updates
... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.
@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.
So we know the goal... Like DNS, finding a proper solution is still a WIP :)
@cwebber This is where I wish we had a generalised 'key space' of some kind: eg, a namespace like DNS but where registering a name means you have a private key for that name.
But I guess there's a whole huge legal minefield around any kind of human readable names involving trademarks, libel law, hate speech etc, etc. And the problem of assigning 'root of trust' to the namespace root when we have no rational grounds to trust either nation-state or corporate level players.
@natecull We have possible solutions in progress!
So I'm convinced the DID spec (Decentralized Identifiers) is the right general "container" for these, though it's still WIP... see: https://opencreds.github.io/did-spec/
That's a bit general, and can be layered on top of a blockchain or DHT, with differing tradeoffs (basically, should objects be able to be garbage collected / disappear?)
@natecull However, it's not fully enough on its own: we also need a "petnames" type solution to have names be human readable. There are solutions to that, but really, they should be a light mapping to the underlying identifier. Zooko triangle squared: lightweight human readable -> the core of secure / decentralized
