> So a bad actor can still issue a multi-year certificate for itself, and in the absence of side-channel verification the browser is none the wiser.
How would a bad actor do that without a certificate authority being involved?
> So a bad actor can still issue a multi-year certificate for itself, and in the absence of side-channel verification the browser is none the wiser.
How would a bad actor do that without a certificate authority being involved?
The bad actor would also need to install a root for their custom CA on the end-user device.