Comment by pc86
7 hours ago
On the flip side, every company I've ever worked for has installed trusted company certs on their computers and do MITM everything.
7 hours ago
On the flip side, every company I've ever worked for has installed trusted company certs on their computers and do MITM everything.
Yep. You apparently need HTTPS for intranet resources too, or you can't develop/use web-apps in Chrome, and since no self-respecting CA would certify your localhost, internal homegrown CA it is, baby — and given the web runs on the lovely model "any CA can attest any website; okay, maybe CAA is not a bad idea"...
Even with CAA records, any CA can still create a cert for any website. So if you're worried about an untrustworthy CA, then this won't help you.
It could make it less likely for a CA with buggy code to accidentally issue a cert for your domain.