On 18/11/2025 9:33 am, Rick Troth wrote:
Please don't take this as argumentative. I recognize your points and
agree. Those who DO run their own CA consider those things as part of
the cost and they accept that as a cost of doing business.
Military, government, and even many large institutions or enterprises
commonly run their own CA if only to get away from the third party
aspect of PKI. YES, they then have the deployment burden. YES, all
players then must trust the internal CA. (And there are many who
DIStrust external CAs. Again, not meaning to argue, just observing.)
You're right, there are some circumstances where you might need your own
CA. Military and government are good examples. But I'm not convinced
that there are many large organizations who could set something up that
was more secure in practice than e.g. Let's Encrypt or other commonly
used CAs.
Also, the security of having your own CA doesn't come from adding your
own CA. It comes from removing trust from all other CAs from all your
clients. That's going to break a lot of stuff.
--
Andrew Rowley
Black Hill Software
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
