Distributed PKI isn’t a new idea. There are a lot of articles and attempts to implement the concept in practice. PKI (d) is based on the assumption that there are critical vulnerabilities in the process of issuance and management of certificates by CAs, so there is a need to decentralize certificate authority and make the process more transparent and difficult to compromise.
The imperfections of centralized PKI rise to the surface once in a while, causing significant financial and reputational damage. One of the latest examples in mid-2018 describes researchers who found a brand new malware project using stolen digital certificates from several Taiwanese tech-companies, namely D-Link, to sign their malware and making them look like legitimate applications. What is baffling is that D-Link revoked certificates only after they had been notified by the researchers. This means that this type of malware is tough to detect since antivirus programs fail to check the certificate’s validity even when companies revoke the signatures of their certificates. Sadly, it’s not a single case of hackers stealing valid certificates for signing their malware.