(Sorry for the broken references, my MUA misplaced the e-mail I'm *actually* replying to.)
On 03/14/2019 03:08 PM, Stephan von Krawczynski wrote:
Some facts for you, as obviously you have not understood what a CA is worth that is compromised by either hackers or "authorities". If you want to know more, read articles about closing of CA DigiNotar, like: https://en.wikipedia.org/wiki/DigiNotar
Then read US export laws concerning security devices. Then judge your US-issued certs...
Out of interest, does(*) or doesn't(**) your scenario include mechanisms like HPKP?
(*) I'm not aware of any MUAs implementing one, just browsers, and it's now being phased out by *them* in favor of CT, too.
(**) If not, the question of what CAs issued any *legit* certs for you has no practical relevance on whether and which other CAs may get hacked or judicially suborned into creating a working fraudulent one.
(Where "practical" means "you cannot expect the entire, possibly worldwide, user population to manually strip their clients' list of accepted CAs down to the one *you* chose".)
Regards,
Jochen Bern Systemingenieur
www.binect.de www.facebook.de/binect