Affirmation 1: The SSL certificate PKI is build uppon the concept of Certification Authority.
Affirmation 2: My device trust blindly in any root certificate installed on it and make no distinction about which one is better - every root certificate is equal in security (just considering standard certificates, not extended validation ones).
Affirmation 3: CAs can issue certificates to any domain in the world.
I always heard from the corporate environment that we need to buy certificates from "good" CAs (and most of the times "good" CAs are the largest companies, with the most expensive certificates).
The problem is: if affirmations 1, 2 and 3 are true, it doesn't matter if I issue my certificate on CA A or B. Reasons:
- The certificate will be trusted by browsers (modern ones, at least), whatever CA is used.
- If an attacker could somehow generate arbitrary certificates on a specific CA, I would be affected too, even if I have no certificates on this CA.
So, based on the previous thought, do I need to be concerned about the security procedures of a CA or I can only check which one is cheapier? Besides that, could the whole SSL PKI security be measured by the weaker CA, like the weaker link?
I know about certificate pinning, but I don't know if this concept is relevant here.
