[Ach] Certificate Authorities and Self-signed crap

Ulrich Poeschl ulrich.poeschl at bmlvs.gv.at
Sat Dec 14 18:21:57 CET 2013

I strongly disagree with the topic here. self-signed is the ONLY thing  
you can ultimately trust!

> Yes. But since thats a paragraph on PKI we should mention that  
> offical CA certs will be needed for external facing services like  
> https or email.

what are "official CA certs"????

ca-certs that are loaded/pinned inside $random_browser and $random_OS?

please do not mention "official CAs" in the paper. this term is  
confusing, $$$-driven and communicates a wrong sense of "security",  

we should - in fact - extend the existing paragraph, in the existing  
line of argument... in terms of "how to use self-signed CAs and certs  
with your customers" (fingerprint-checking, best practices for running  
your own CA,...)

regards, Ulrich

More information about the Ach mailing list