Comment by jdsully
1 day ago
At some point it makes sense to just let us use self signed certs. Nobody believes SSL is providing attestation anyways.
1 day ago
At some point it makes sense to just let us use self signed certs. Nobody believes SSL is providing attestation anyways.
What does attestation mean in this context? The point of the Web PKI is to provide consistent cryptographic identity for online resources, not necessarily trustworthy ones.
(The classic problem with self-signed certs being that TOFU doesn’t scale to millions of users, particularly ones who don’t know what a certificate fingerprint is or what it means when it changes.)
A lot corporate environments load their root cert and MITM you anyway
A lot of applications implement cert pinning for this exact reason
Then you might as well get rid of TLS altogether.
You'd still want in transit encryption. There are other methods than centralized trust like fingerprinting to detect forgeries.
Haven’t seen any such system that scales to billions of user.