Does any technology prevent a CA unilaterally revoking a certificate?

manpreet Best Answer 3 years ago

As far as I can tell, a CA is in a position to unilaterally revoke a certificate via the standard mechanisms (CRL, OCSP).

In an increasingly TLS world, what current technology stops a CA shutting down a service they don't like?

manpreet 3 years ago

Peer pressure, effectively.

There is a multi-layer structure of trust - the CAs trust the browser makers to include their root certificates, and not remove them without reason. The browser manufacturers trust the CAs to only sign certificates for legitimate requests, and implicitly agree to believe this, with the threat of removing the root certificates of CAs that don't actually do this. Website owners trust the CAs to work to keep their root certificates in all popular browser bundles (since manually adding certificates is a massive hurdle to user experience), and the browser manufacturers to keep root certificates in their bundles, unless there is some good reason not to (e.g. the CA asked for them to be removed).

Therefore, if a CA unilaterally revoked a certificate, the browser manufacturers could demand a reason, and, if they found that the reason was insufficient, remove the root certs belonging to that CA. They're unlikely to do so, unless it's a pattern (for example, revoking certificates belonging to sites in favour of a given political party).