LALA again le modèle de sécurité de x509. Solution : DNSSEC + DANE TLSA + certificat autosigné + navigateurs qui acceptent les certificats autosignés en présence de DANE TLSA.
In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.
In January, an independent security researcher unearthed evidence that Symantec improperly issued 108 new certificates. Thursday's announcement came after Google's investigation revealed that over a span of years, Symantec CAs have improperly issued more than 30,000 certificates. Such mis-issued certificates represent a potentially critical threat to virtually the entire Internet population because they make it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.
Symantec's repeated violations underscore one of the problems Google and others have in enforcing terms of the baseline requirements. When violations are carried out by issuers with a big enough market share they're considered too big to fail. […]