[Ach] Certificate Authorities and Self-signed crap
ulrich.poeschl at bmlvs.gv.at
Sat Dec 14 18:21:57 CET 2013
I strongly disagree with the topic here. self-signed is the ONLY thing
you can ultimately trust!
> Yes. But since thats a paragraph on PKI we should mention that
> offical CA certs will be needed for external facing services like
> https or email.
what are "official CA certs"????
ca-certs that are loaded/pinned inside $random_browser and $random_OS?
please do not mention "official CAs" in the paper. this term is
confusing, $$$-driven and communicates a wrong sense of "security",
we should - in fact - extend the existing paragraph, in the existing
line of argument... in terms of "how to use self-signed CAs and certs
with your customers" (fingerprint-checking, best practices for running
your own CA,...)
More information about the Ach