Certificate authorities are the (shaky af) basis of the entire trust chain of the web.
Because its root certificate is in everybody's CA bundle, StartCom had a moral responsibility to understand the security around this product. This is negligence.
I don't have any StartCom certificates right now, but I sure won't have any in the future after this display.
What would a "CA death penalty" look like? They're a "root" CA, is there an entity that signed their root certificate that could issue a revocation? Or would we have to get all the OS and browser vendors to agree to phase out their root after some time?
Because its root certificate is in everybody's CA bundle, StartCom had a moral responsibility to understand the security around this product. This is negligence.
I don't have any StartCom certificates right now, but I sure won't have any in the future after this display.
What would a "CA death penalty" look like? They're a "root" CA, is there an entity that signed their root certificate that could issue a revocation? Or would we have to get all the OS and browser vendors to agree to phase out their root after some time?