The CA Is Dead

By Markus Maiwald, with Voxis Forge

Certificate Authorities are the protection racket of the internet.

Pay DigiCert $500 a year, and your website gets a green padlock. Stop paying, and your users see a skull-and-crossbones warning. The service they provide? Telling browsers: “Yes, this server is who it claims to be.” A verification that takes about twelve seconds of DNS lookup and a signature check – for which they charge enterprise rates and call it “trust.”

This is not security. This is a subscription to someone else’s opinion about your identity.

We just killed it. RFC-0016: Sovereign PKI formalizes what the Libertaria stack has been building toward since day one – a world where trust is computed from cryptographic proof and social attestation, not purchased from a Dutch bureaucrat who stamps forms because you paid the right fee to the right cousin.

The Racket

Let’s be precise about what Certificate Authorities actually do.

A CA answers one question: “Should I trust this public key?” It answers that question by checking whether someone paid them. That’s it. There is no deeper verification. There is no cryptographic insight. There is no trust – there is a transaction.

The entire X.509 certificate chain – that baroque tower of ASN.1, DER encoding, OCSP responders, CRL distribution points, and cross-signed intermediate certs – exists because in 1988, someone decided that trust should be hierarchical and delegated. From root CA to intermediate CA to end entity. A chain of authority where every link is a point of failure, a point of capture, and a point of rent extraction.

Let’s Encrypt Proved the Point

And then Let’s Encrypt happened.

The Internet Security Research Group gave away certificates for free. Automated. No human in the loop. ACME protocol: prove you control a domain via DNS or HTTP challenge, get a cert in 30 seconds. Ninety-day validity, auto-renewed.

The result? The internet did not become less secure. If anything, HTTPS adoption exploded – from ~40% in 2016 to ~95% by 2025. The “trust” that commercial CAs charged hundreds of dollars for turned out to be worth exactly zero dollars when the same trust could be computed automatically.

Let’s Encrypt proved three things:

1. Domain validation is trivially automatable. No human judgment required. No “extended validation.” No phone calls to verify your business address. A DNS TXT record or HTTP challenge file is sufficient.

2. The CA business model is artificial scarcity. There is no marginal cost to issuing a certificate. The infrastructure is a few servers running ACME. The $500/year “enterprise” certificates are functionally identical to the free ones.

3. CAs add zero security value. The actual security comes from TLS – the Diffie-Hellman key exchange, the AEAD cipher, the Noise-like handshake. The certificate is a wrapper. A permission slip. A receipt.

If a free, automated, zero-human-review process produces equivalent security – then what were we paying for all those years?

The Real Problem: Who Watches the Watchers?

Certificate Authorities are trusted by default. Your browser ships with a root store – a list of ~150 organizations whose word it will accept without question. Every device, every browser, every TLS library on the planet trusts these entities implicitly.

And they have failed. Repeatedly. Catastrophically.

This is not a list of edge cases. This is the steady state of the CA model. Centralized trust means centralized failure. When DigiNotar was hacked, every browser on Earth temporarily trusted forged Google certificates. Hundreds of millions of users. One point of failure.

And let’s name the elephant: intelligence agencies. The CA model is structurally designed for state-level MITM. Any government that can compel a CA to issue a certificate – through legal authority, national security letters, or a quiet conversation – can intercept any TLS connection on the planet. The CA does not need to be hacked. It needs to be asked.

You think the NSA doesn’t have access to a root CA? You think Mossad, with a track record of Stuxnet and Pegasus, respects the sanctity of DigiCert’s signing key? You think the PRC, which controls CNNIC, doesn’t issue certs on demand?

The CA model is not a security architecture. It is a surveillance architecture with a business model attached.

Three Moves: How Libertaria Killed the CA

RFC-0016 formalizes what we’ve been wiring together across the stack. Three surgical strikes. No new primitives – just connecting what already exists.

Move 1: DID-Authenticated Noise Sessions

Every connection between Libertaria nodes is a Noise XX handshake where both sides prove identity via the Sovereign Key Helix.

Alice's SoulKey X25519 → Noise XX static key
Bob's SoulKey X25519   → Noise XX static key

3-message handshake:
  Alice → Bob:  ephemeral key
  Bob → Alice:  ephemeral + static (encrypted)
  Alice → Bob:  static (encrypted)

Post-handshake:
  Both sides resolve the peer's DID Document
  Verify: remote Noise static key == DID X25519 public key
  If mismatch: tear down. No negotiation.

The certificate is the DID Document. Self-issued. Self-sovereign. Pinned to the Helix. No chain of signatures from strangers. No root CA. No intermediate CA. No OCSP responder. The handshake is the proof.

The function that kills X.509 is twelve lines of Zig in noise_binding.zig:

verifyAndBind(
    my_did,              ← my identity
    remote_static_key,   ← from Noise handshake
    peer_did,            ← resolved DID
    peer_x25519_keys,    ← from DID Document
    peer_deactivated     ← from DID state
)

If the remote Noise static key doesn’t match the peer’s DID Document, the connection dies. If the peer’s DID is deactivated, the connection dies. If the peer has no X25519 key agreement methods registered, the connection dies.

No fallback. No graceful degradation. No “well, the cert expired but the traffic looks fine.” The identity layer makes the decision. The transport layer enforces it.

Move 2: QVL Replaces the Trust Chain

CAs answer a binary question: trusted or not trusted. This is not how trust works. Trust is contextual. Temporal. Scalar. I might trust you enough to relay my gossip messages but not enough to co-sign my financial transactions. A CA cannot express this. It’s a light switch when you need a dimmer.

The Quasar Vector Lattice computes trust as a score – 0.0 to 1.0 – from the verifier’s own position in the trust graph. Not from DigiCert’s opinion. Not from any authority. From your graph, your attestations, your experience.

CA Model:                 Libertaria Model:

DigiCert says "trusted"   My trust graph says:
┌───┐                     ┌───────────────────────┐
│ 1 │  (binary)           │ 0.87 (3 attest paths, │
└───┘                     │ avg 2 hops, decay 0.95│
                          └───────────────────────┘

Trust decays over time. effective_weight = weight × exp(-decay_rate × elapsed_time). Attestations from last year carry less weight than attestations from last week. This matches human behavior – trust erodes without reinforcement.

Bellman-Ford scans for negative cycles – betrayal rings where colluding nodes boost each other’s reputation. When detected, the response is automatic: quarantine, slash, exile.

Move 3: The Compatibility Shim

The legacy world still speaks TLS. Browsers want X.509. We provide two options, both at the boundary:

Option A (Pragmatic): For browser-facing HTTPS endpoints, use Let’s Encrypt. The ACME cert authenticates the domain; the DID resolution authenticates the entity. Two layers. Neither depends on the other for sovereignty.

Option B (Sovereign): For API consumers that resolve did:sovereign-skh1:, self-issue X.509 from SoulKey and pin it to the DID Document. The cert is a transport wrapper. The real assertion is the DID.

Inside the mesh: Zero X.509. Ever. The compatibility shim is a membrane – TLS terminates at the boundary, and inward-facing connections use DID-authenticated Noise XX.

Revocation: Where CAs Die Twice

The CA model has never solved revocation. OCSP (Online Certificate Status Protocol) requires a centralized responder – if it’s down, browsers “soft-fail” and accept the potentially revoked cert anyway. CRLs (Certificate Revocation Lists) are distributed periodically – meaning there is always a window where a revoked cert is still trusted.

The window is the vulnerability. And CAs have never closed it.

Libertaria closes it with two independent mechanisms – belt and suspenders:

Mechanism 1: Revocation Gossip. A revocation event is a signed QuasarVector distributed through the mesh’s Plumtree protocol. Same gossip channel as everything else. No new infrastructure. Propagation: 90% of the mesh within 3 rounds – seconds, not hours.

Mechanism 2: QVL Immune Response. When attestations get counter-signed as revoked, the trust score decays automatically. Even if the explicit revocation gossip never reaches you, the graph updates trickle in through independent paths, and the score drops. The mesh is its own immune system.

Both Libertaria mechanisms are faster, more reliable, and have zero single points of failure. The CA’s revocation model is not just inferior – it is architecturally incapable of competing.

The Cold Start: Day Zero Identity

Every CA-kill design has one puzzle: what about a brand-new node with no reputation? CAs solve this trivially – pay them, get a cert, done.

Libertaria solves it through Larval Identity. A new node gets bootstrap vouches from Chapter members – cryptographic attestations with 48-hour TTL and zero transitivity. Three independent vouches from distinct DIDs, and the node graduates to full mesh participation.

It’s the digital equivalent of “three people in town vouch for the newcomer.” No authority. No payment. Social proof with cryptographic binding and automatic expiry.

If you don’t graduate in 48 hours, your vouches expire and you start over. No phantom identities. No zombie certificates haunting the mesh years after they should have died – unlike X.509, where expired certs from decomissioned servers linger in CT logs forever.

Chapter-Issued Trust: The New Normal

In Libertaria, Chapters issue their own trust. A Chapter is a sovereign community – 50 to 5,000 people with a shared social contract. When a Chapter member vouches for a new node, they are staking their own reputation. The attestation carries weight because it’s attached to a real identity with real social consequences.

This is not a theoretical improvement over CAs. It is a categorical difference.

What This Means for the Stack

RFC-0016 is now in Draft. The implementation touches four files in libertaria-stack:

• trust/vector.zig – Two new VectorTypes: pki_revoke = 0x0733, pki_attest = 0x0734
• ssi/gossip.zig – Two new gossip topics: $DID/{did}/pki/revoke, $DID/{did}/pki/attest
• noise_binding.zig – Already wired. verifyAndBind() is the gate. No new code needed.
• trust_graph.zig – Already wired. CompactTrustGraph handles edge mutations. No new code needed.

A new daemon – libertaria-pkid – sits alongside libertaria-identd as a Janus :service project. It handles DID-auth enforcement, revocation relay, larval identity bootstrap, and the X.509 compatibility bridge for legacy endpoints.

Total wire format change: 4 lines of Zig. The architecture was already there. We just named it.

The Axiom

The CA was never about trust. It was about selling trust. A mafia racket with better branding. You pay for protection, and the protection is from the consequences of not paying.

Let’s Encrypt proved the racket was unnecessary. The intelligence services proved it was compromised. We proved it was replaceable.

The Helix computes trust for free. The mesh enforces it for free. The protocol guarantees it mathematically.

Trust is not a product. It is a computation.

And computations don’t need a certificate.

Read More

• RFC-0016: Sovereign PKI – Full protocol specification
• L1 Identity – Sovereign Key Helix and QVL trust graph
• L0 Transport – Noise XX and wire protocol
• Protocol Stack Overview – The six-layer Sovereign Shell