If they enforce HTTPS due to security, they would let us use self signed certificates. It's a scam and I'm falling for it too because I'm tired of explaining to users that, no, the self signed certificate is not dangerous. You can click the dismiss button and it'll work just fine. There are no input fields on my websites, you're not giving me any information. Why does it need encryption signed by a third party?
If clients trust the cert and add it to their store, what happens when your key is stolen? Where’s the CRL And how is trust established with the provider of that CRL (which I assume is also self-signed and requires TOFU)? What if first contact is made with a MitM and trust is established with the actor?
With no third party trust anchor, how do you authenticate identity? You’ve got an encrypted connection but to who?
Certs on the public internet aren’t just about confidentiality and integrity, they’re about authenticity, something the author of the article doesn’t quite understand. Certificates are literally about binding identity to a key, with CAs providing a way to bootstrap trust of that binding.
There hasn’t really been a better proposed solution to this problem.
DANE/DNSSEC shifts trust from CAs to registrars, PGP Web of Trust is complex for users and adds friction to revocations, key pinning breaks catastrophically if you lose the key, DNS CAA just constrains the CA model but is still the same thing. Blockchain still has key loss issues and how do you handle disputes? Also you’re centralising things economically since biggest miners thus dominates.
SPKI was really interesting and actually positioned that identity key bindings via certs could negate the need for CAs if binding shifted to a protocol. It didn’t get anywhere though.
Don’t get me wrong, I have my own PKI and CA at home and “self-sign” internally but that’s fine when i can personally establish trust and authenticate but it doesn’t internet-scale where everyone is predominately strangers.
Why do strangers who come across my website to look at pictures of cats need to authenticate my identity?
I agree with everything this person says.
If they enforce HTTPS due to security, they would let us use self signed certificates. It's a scam and I'm falling for it too because I'm tired of explaining to users that, no, the self signed certificate is not dangerous. You can click the dismiss button and it'll work just fine. There are no input fields on my websites, you're not giving me any information. Why does it need encryption signed by a third party?
If clients trust the cert and add it to their store, what happens when your key is stolen? Where’s the CRL And how is trust established with the provider of that CRL (which I assume is also self-signed and requires TOFU)? What if first contact is made with a MitM and trust is established with the actor?
With no third party trust anchor, how do you authenticate identity? You’ve got an encrypted connection but to who?
Certs on the public internet aren’t just about confidentiality and integrity, they’re about authenticity, something the author of the article doesn’t quite understand. Certificates are literally about binding identity to a key, with CAs providing a way to bootstrap trust of that binding.
There hasn’t really been a better proposed solution to this problem.
DANE/DNSSEC shifts trust from CAs to registrars, PGP Web of Trust is complex for users and adds friction to revocations, key pinning breaks catastrophically if you lose the key, DNS CAA just constrains the CA model but is still the same thing. Blockchain still has key loss issues and how do you handle disputes? Also you’re centralising things economically since biggest miners thus dominates.
SPKI was really interesting and actually positioned that identity key bindings via certs could negate the need for CAs if binding shifted to a protocol. It didn’t get anywhere though.
Don’t get me wrong, I have my own PKI and CA at home and “self-sign” internally but that’s fine when i can personally establish trust and authenticate but it doesn’t internet-scale where everyone is predominately strangers.
Why do strangers who come across my website to look at pictures of cats need to authenticate my identity?