One issue I have is governments that serve their own CA which you must trust before accessing their services. BR, IN, CN, RU, some US federal services (which might still exist after musk junta took over), ES, etc...
I'm fine with some gov bureaucrat setting the keys for their own services, but the CAs are usually able to sign for all the internet. Would be nice if browsers/OS would allow an easy way to limit the TLDs you accept to trust a CA, but that is on the cert.
I'm fine with some gov bureaucrat setting the keys for their own services, but the CAs are usually able to sign for all the internet. Would be nice if browsers/OS would allow an easy way to limit the TLDs you accept to trust a CA, but that is on the cert.