Názor k článku Čínský WoSign vydal certifikáty pro GitHub běžnému uživateli od Gaddafi - To lze ovsem kontrovat jinym prikladem z puvodniho...

To lze ovsem kontrovat jinym prikladem z puvodniho Against-DNSSEC-FAQu, ktery ukazuje proc je key pinning (HPKP) mnohem lepsi napad:

If over the next 5 years nothing more is done to shore up Internet security than is already being done, targeted CA-based attacks will become much riskier for NSA and GCHQ because of key pinning. To man-in-the-middle an HTTPS connection, NSA will need to know that the browser they’re targeting hasn’t already cached the correct key fingerprint for the server. If it has, the browser will scream bloody murder and, hopefully, report back to Google or the EFF about the discrepancy. People watching those logs will quickly discover which CAs are signing bogus certificates, and compromised CAs will be evicted from browsers. NSA and GCHQ will have to risk burning an entire CA every time they launch this attack. If we do nothing new at a protocol level, every Chrome and Firefox installation on the Internet will become part of a global anti-surveillance surveillance system.

What happens when the same story is repeated in a DNSSEC/DANE world? .COM is discovered to have signed bogus material for Facebook. Now what? Browsers can’t talk to .COM anymore?