 Yesterdays link to the Let‘s Encrypt blog dragged in some people who seem to think that CAs are unnecessary or even evil. LE is s very small group who set out to improve the terrible CA situation and the fucking middle box corruptions. They did that successfully with a budget that a medium sized city spends on its department for car license plates. So, my advice: don‘t yell at people who made the world somewhat better or you‘ll soon run out of ones who try.💁🏻♂️ 13 comments
 @icing I used to deploy CAs for a living, including providing consultancy on how to organise the security of root CAs, etc. This could be for banks, telcos, or governments. When LE came about, my LinkedIn went “Fuuuuuuu”, and sounded as if the commies had won. Even without the inherent security increase of having so many more websites encrypted, one of LE’s biggest contributions is that it forced people to stop manipulating privkeys manually and copying/emailing them around.  @nblr Private CAs are still very clearly needed. I'm just appalled when I see people in charge of private CAs who don't know the first thing about certificates. I had one argue to me that they couldn't issue a client cert without a domain name! This client cert was intended for an external party, and the CA person was happy to issue it with a cn=$external.DONOTUSE.$clientcompany.com. No way that could be abused. @teotwaki uuhm. uhm. I mean... technically (as in X.509 words on imaginary paper) you can even issue one without a CN, not sure if there's any implementation who would find that funny, but implying that there's any structure to what's in a CN? That sounds like someone who only ever suffered a single vendor's implementation and idea how to do things. lel. There is an abundance of other details of that spec one might want to argue over, this isn't one of them. @icing that is utterly baffling, do people not remember the bad old days when certs were even more of a pain to deal with and cost just enough that most people understandably didn't bother?  @DanHatesNumbers @DanHatesNumbers @icing what about the good old days where you had to yearly send a copy of your passport to Israel and you'd get a certificate in 1-5 business days?  @icing CAs are a what you could call a "necessary evil", like lots of things in today's society, but i don't consider LE to be bad, compared to what other corporations do. It was an initiative to improve security on the web and it has been successful. Although, to be honest, i would like to see a more decentralized option being adopted instead.
 |
Gregory's Server
@icing just link them “on trusting trust” and block them when they whine