|
Top-level
 @icing I used to deploy CAs for a living, including providing consultancy on how to organise the security of root CAs, etc. This could be for banks, telcos, or governments. When LE came about, my LinkedIn went “Fuuuuuuu”, and sounded as if the commies had won. Even without the inherent security increase of having so many more websites encrypted, one of LE’s biggest contributions is that it forced people to stop manipulating privkeys manually and copying/emailing them around. 3 comments
@nblr Private CAs are still very clearly needed. I'm just appalled when I see people in charge of private CAs who don't know the first thing about certificates. I had one argue to me that they couldn't issue a client cert without a domain name! This client cert was intended for an external party, and the CA person was happy to issue it with a cn=$external.DONOTUSE.$clientcompany.com. No way that could be abused.  @teotwaki uuhm. uhm. I mean... technically (as in X.509 words on imaginary paper) you can even issue one without a CN, not sure if there's any implementation who would find that funny, but implying that there's any structure to what's in a CN? That sounds like someone who only ever suffered a single vendor's implementation and idea how to do things. lel. There is an abundance of other details of that spec one might want to argue over, this isn't one of them. |
Gregory's Server
@teotwaki @icing Also... the need for private CAs is still there. (no need to ask me how I know, I guess)
It's just that the grand bazar of gold-plated bits died.