CA

The CA-based certificate trust model is fundamentally flawed, with OCSP/CRL revocation verification being nearly useless (soft-fail allows connections despite revocation). SSL pinning is difficult to implement and easy to break. CA infrastructure itself creates risk vectors, and certificate issuance relies on unverified DNS and email.