undefined | Better HN

0 pointsnickf2y ago0 comments

That really isn't how this works. DigiCert don't have any 'power' as you suggest - the .be government are free to choose any CA they wish from those who are globally trusted. These are for serverAuth certificates, too, so no-one is talking about internal/top-secret/sensitive intra-government communications.

Even if you were paranoid enough to think a US company like DigiCert would 'do anything' - their issuance is subject to public scrutiny (something the EU proposal doesn't like) and malfeasance has very real consequences to the whole of Digicert's business.

0 comments

3 comments · 3 top-level

sam_lowry_2y ago

Before the change, the Belgian government did not have to choose any CA from "globally trusted". They were one of the globally trusted CAs.

I think the eIDAS is trying to revert the trend and put Europeans back in charge of their CAs. See for instance the eSignature Trusted Lists like this one [1]

I understand and support the intention. European Commission is just too bad at implementing it.

[1] https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo...

ginko2y ago

DigiCert's HQ is a 10 minute drive away from the NSA's Utah Data Center. I don't think you you need to be particularly paranoid to think there might be foul play there.

pieter_mj2y ago

That is how what specifically doesn't work? Could you specify? Digicert's root certificates serve all purposes, not just serverauth.

NSA can and will use CA certs to mitm when they want, there's no need for overt malfeasance on Digicert's side.

j / k navigate · click thread line to collapse