A comprehensive deep-dive into WebPKI — the public key infrastructure underpinning HTTPS — covering how certificate authorities, root programs, and subscribers interact. Explains certificate types (DV, OV, EV), Certificate Transparency, revocation mechanisms (CRL, OCSP, CRLite, short-lived certs), and ACME Renewal Information (ARI). Uses real-world case studies including the Trustico private key disclosure scandal, Entrust's delayed revocation of 26,000+ mis-issued EV certs, and Microsoft's botched handling of 100M+ invalid certificates. Argues that CAs have historically prioritized subscriber convenience and their own financial interests over public safety, and offers practical recommendations: adopt ACME-integrated servers, move internal infrastructure to private CAs, and push root programs to enforce stricter accountability.
Table of contents
Table of ContentsThe Basics and What We Expect from WebPKIA Brief History of HTTPS and WebPKIWhy Expire or Revoke At All?How Do You Revoke A Hundred Million Certificates?Mitigating This MessWhat Is To Be Done?Credits RollSort: