[HN Gopher] How to distrust a CA without any certificate errors
       ___________________________________________________________________
        
       How to distrust a CA without any certificate errors
        
       Author : tptacek
       Score  : 18 points
       Date   : 2025-03-06 22:28 UTC (32 minutes ago)
        
 (HTM) web link (dadrian.io)
 (TXT) w3m dump (dadrian.io)
        
       | mcpherrinm wrote:
       | The flipside of the same technical points is
       | https://sslmate.com/blog/post/entrust_distrust_more_disrupti...
       | where some non-browser clients don't handle this, or worse,
       | handle it incorrectly.
        
         | tptacek wrote:
         | Right; it's imperfect, as everything is. But of course, it's
         | also a huge bit of leverage for the root programs (more
         | accurately, a loss of leverage for CAs) in killing misbehaving
         | CAs; those programs can't be blackmailed with huge numbers of
         | angry users anymore, only a much smaller subset of users. Seems
         | like a good thing, right?
        
         | dadrian wrote:
         | Non-browser clients shouldn't be expected to crib browser trust
         | decisions. Also, the (presumably?) default behavior for a non-
         | browser client consuming a browser root store, but is unaware
         | of the constraint behavior, is to not enforce the constraint.
         | So they would effectively continue to trust the CA until it is
         | fully removed, which is probably the correct decision anyway.
        
       ___________________________________________________________________
       (page generated 2025-03-06 23:00 UTC)