2016 was a significant year for the mine fire that is the CA
industry. In one sense, nothing much changed: CAs continued to
charge big money for random-looking bit strings whilst sometimes
doing Bad Things or having their infrastructure hijacked. But
things are changing!
In this talk I will recap the events of 2016 and discuss several
ongoing efforts to control the fire, including:
- The WoSign / StartCom backdated certificate shenanigans, and
browser vendors waking up and finding that they are strong
- The impact of Let's Encrypt (a free, automated, publicly trusted
CA) including (hilarious) reactions of incumbent CAs
- Certificate misissuance (Symantec et al.) and how Certificate
Transparency logs are being used to detect misissuance
- Altogether avoiding the CA cartel with DNSSEC-based certificate
trust (DANE)