Good article; glad to see that the security of external CAs is brought up as a risk factor for organizations.

One point that struck me while reading this post is that it doesn’t quite explain how a CA breach could really affect an organization. While it is certainly true that there are many different CA trust stores built into software/devices, a breach of one of the trusted CAs doesn’t necessarily mean ‘game over’ for an organization. It all depends on exactly how the devices use certificates and what services they provide.

For example, organizations that rely heavily on certificates issued by a compromised public CA for securing externally facing websites would definitely be impacted and would likely need to scramble to replace those certificates. Organizations that use code signing certificates issued by a compromised public CA would also be greatly impacted.

In other cases, the risks are a little harder to understand, such as the load balancer example you mentioned above.