Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you point to USG or Chinese CAs that publicly mis-issued or used certs? CNNIC comes to mind and they've been removed. Which others were you thinking about?


I'm not aware of any; I was just referring to the evident more general contempt for security.


In other words, no USG or remaining China CA has violated the CA guidelines and requirements publicly.


I'm not sure what you are suggesting - that the CA guidelines need to be changed? Instead of the CA system being scrapped?


CNNIC did not mis-use or mis-issue certs, but issued a cert to an Egyptian company which mis-used it, iirc.


Uh, issuing a CA cert to the Egyptian company was the very definition of mis-issuing a cert!


No, the definition of mis-issuing a cert is when you issue a Google cert to someone who isn't Google. Not doing due diligence on what people to whom you've issued a cert are doing with it is a little different.

This is just semantics, though. I think everyone agrees they done bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: