A specific incident this month — a VeriSign misissued certificate for a high-profile domain — has clarified how fragile the CA trust model actually is in practice.
What happened
VeriSign issued a code-signing certificate to someone who claimed (falsely) to represent a major software vendor. The certificate was valid for two days before VeriSign realised the error and revoked it. During those two days, malware signed with the certificate would have appeared as legitimately-signed software from the vendor.
The specific harm appears to have been limited — the misissue was caught quickly, no major exploitation has been reported. The structural lesson is more interesting than the specific harm.
What this teaches
Three things.
The CA model has weaknesses I have written about](/blog/personal-ssl-ca) but had not seen exercised at scale. The trust model assumes that CAs verify identity correctly. VeriSign — one of the most established CAs — verified incorrectly. Other CAs are presumably making similar errors at lower rates.
Revocation infrastructure is weak. The certificate was revoked within two days. Most browsers do not check revocation status; the revocation does not actually propagate to most users until they update their browser or refresh their certificate cache. The window of operational vulnerability extends well beyond the formal revocation.
The economic incentives are wrong. CAs profit from issuing certificates. Stricter verification reduces issuance rates. The pressure on CAs to verify well is mostly reputational; reputational pressure is uneven.
What this implies
For operators: certificates from any CA should be treated as a probabilistic assurance, not a definitive one. Defence in depth applies — code signing is one signal among several, not a sufficient condition for trust.
For the longer term: the CA model needs structural change. The conversation about alternatives is starting; concrete alternatives are years away from deployment.
A short reflection
This is the calibrated humility discipline applied to trust infrastructure. The CA model is not perfect; it is what we have; the alternatives are not yet ready. Operators must use it while being clear-eyed about its limits.
More as the year develops.