Traces how Certificate Transparency turns CA mis-issuance into a public, append-only Merkle-tree record: SCTs, the gossip and audit model, how browsers enforce it, and why the same logs hand attackers a free subdomain map.
Traces how certificate revocation works on the web: CRLs, the OCSP request/response, stapling in the TLS handshake, must-staple, the privacy leak of plain OCSP, and why Let's Encrypt shut its responders off in 2025.
Traces how Mozilla, Apple, Microsoft, and Chrome curate the root CAs that anchor every HTTPS connection, the governance machinery behind inclusion and removal, and the Symantec, TrustCor, and Entrust distrust events that show the system enforcing itself.
How mutual TLS works at the message level, the CertificateRequest, Certificate, and CertificateVerify exchange in TLS 1.3, where client certificates are deployed, and why a private key beats every behavioral signal.
Traces the certificate authority from X.509's 1988 origins and the VeriSign oligopoly through the breaches that broke the trust model — Comodo, DigiNotar, TURKTRUST, Symantec — to Certificate Transparency and the CA/Browser Forum.
Two case studies in how browsers strip a certificate authority of trust: DigiNotar's 2011 breach and bankruptcy, and Symantec's 2017 mis-issuance saga and Google's staged distrust.
Traces Let's Encrypt from the 2013 founding of ISRG and the ACME protocol through the 2016 launch, the march to a majority-HTTPS web, and the 2024-2026 move from OCSP to CRLs and short-lived certificates.