:INFO PKI as a Social and Technical System Public Key Infrastructure is the system of trust that makes HTTPS work — not just the cryptography, but the organizational rules, audit requirements, and browser policies that determine whose signatures your computer trusts. The technical substrate is X.509 certificates. The social substrate is the CA/Browser Forum, a consortium of certificate authorities and browser vendors that sets binding rules about what certificates can be issued and how. Understanding both layers explains why HTTPS is resilient and where it can still fail. :PATH Inside an X.509 Certificate An X.509 certificate is a data structure that binds a public key to an identity and is signed by a certificate authority. The major fields are: version (always 3 for modern certs), serial number (unique within the CA's issuances), issuer (the CA's disting :PATH The CA Hierarchy and Trust Anchors Root CA certificates are self-signed and embedded in the operating system or browser trust store. When you install macOS or Chrome, you are implicitly trusting the roughly 150 root CAs included. Root CAs rarely issue certificates directly — they sign inte :PATH Certificate Transparency Logs Certificate transparency requires that every certificate issued by a publicly-trusted CA must be logged to one or more append-only CT logs before browsers will accept it. Each log uses a Merkle tree structure: new certificates are appended as leaves, the :PATH Revocation: OCSP and CRL When a certificate's private key is compromised or a certificate is issued in error, it must be revoked before expiry. Certificate Revocation Lists (CRLs) are lists published by CAs that browsers can download, but they can be megabytes in size and stale. :NOTE HTTP Public Key Pinning (HPKP) was a mechanism that allowed websites to instruct browsers to only accept certificates matching specific pinned public key hashes. The intent was to prevent fraudulent certificates from being trusted even if issued by a trusted CA. In practice, several high-traffic sites accidentally pinned incorrect hashes or lost access to their pinned keys. When a pin expires or a pinned key is lost, the site becomes inaccessible to all users who cached the pin. Google Chrome re :INFO Go Deeper: Merkle Trees Certificate transparency logs are append-only Merkle trees — the same data structure that makes git work and blockchains possible. The Merkle tree is the bridge between cryptographic hashing and distributed systems: it allows any party to verify that a specific item is included in a large dataset, using a proof that is logarithmic in the dataset size. Understanding Merkle trees opens the door to how distributed systems achieve verifiable integrity. :INFO [links:https://slatesource.com/s/1021] Understand Merkle Trees and Hash Chains A deep look at the data structures that make blockchains, git, and certificate transparency possible — and the O(log n) inclusion proofs that let you verify a single entry in a billion-record log. :LINK https://certificate.transparency.dev Certificate Transparency — overview and logs