A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

Symantec have at least acknowledged that this is a problem.

https://www.symantec.com/connect/blogs/third-party-revocation-updates

... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.

@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.

So we know the goal... Like DNS, finding a proper solution is still a WIP :)

@cwebber This is where I wish we had a generalised 'key space' of some kind: eg, a namespace like DNS but where registering a name means you have a private key for that name.

But I guess there's a whole huge legal minefield around any kind of human readable names involving trademarks, libel law, hate speech etc, etc. And the problem of assigning 'root of trust' to the namespace root when we have no rational grounds to trust either nation-state or corporate level players.

@natecull We have possible solutions in progress!

So I'm convinced the DID spec (Decentralized Identifiers) is the right general "container" for these, though it's still WIP... see: https://opencreds.github.io/did-spec/

That's a bit general, and can be layered on top of a blockchain or DHT, with differing tradeoffs (basically, should objects be able to be garbage collected / disappear?)

@cwebber This looks interesting!

I'd MUCH rather any kind of DHT than any kind of blockchain - I think proof of work is a demonstrably failed mechanism which didn't accomplish any of the goals it set for itself and now is just a barrier to scaling and efficiency and, ironically, distributed hosting.