ameliaquining parent
How would you propose things should work instead?
The idea would be the ability for a certificate to accept multiple signatures, making it more of a "web-of-trust" system. So you still have your LetsEncrypt certificate, but maybe augmented by another signature from an similar authority located in another country, or some other reputable organization that has your best interests in mind.
Maybe there are problems with that, but I never really understood the limit of a single signature for certificates. Is it because of bandwidth and performance requirements? Is it really a problem nowadays? especially with ECDSA making public keys much smaller.
Does this solve any problem that isn't solved equally well by just acquiring multiple separate certificates? I guess it would make your service highly available in case of revocation, but unexpected revocations are rare enough that almost everyone is willing to run the risk of a brief outage in case one occurs.
I propose a system like SSH fingerprints.
Then anybody can maintain a database of "known fingerprints", and a web-of-trust can be established without depending on a centeral-point-of-censorship.
Fuck CA's. They're not and never have been trustworthy:
https://en.wikipedia.org/wiki/DigiNotar
https://en.wikipedia.org/wiki/Xcitium#Certificate_hacking
https://arstechnica.com/security/2025/06/chrome-boots-2-cert...
https://www.zdnet.com/article/google-guillotine-falls-on-cer...