Andrew McGlashan via luv-main <[email protected]> writes: > On 15/04/2016 4:51 PM, Rick Moen via luv-main wrote: >> Quoting Andrew McGlashan ([email protected]): >> >>> letsencrypt perhaps? It works very well. >> >> It (https://letsencrypt.org/, a recently invented, automated, >> no-charge >> CA) solves the one specific problem it set out to solve, well. And >> it's >> commendably well intended & benevolent. >> >> [But the CA model is incorrigibly broken.]
https://en.wikipedia.org/wiki/Trust_on_first_use This model has worked well for OpenSSH for a long time. There is some recent(ish) discussion about applying it to "the web": https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-in-the-mess-of-ssltls/ https://blogs.fsfe.org/jens.lechtenboerger/2014/03/23/certificate-pinning-for-gnu-emacs/ https://blogs.fsfe.org/jens.lechtenboerger/2014/04/05/certificate-pinning-for-gnulinux-and-android/ Short version is: it's not ready for "normal" users. > Still, I've used self-signed certs too over the years and only > occasionally tried out other options ... for me, right now, > letsencrypt > is better due to how the main browsers are setting up users to > distrust > anything that doesn't come from a CA (however untrustworthy CAs might > be). Making your own autonomous CA (and creating certs from it) is not much harder than making a self-signed cert. The GNUTLS manual essentially explains exactly how to do it, and it's CLI options are *vastly* clearer than the OpenSSL ones. _______________________________________________ luv-main mailing list [email protected] https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
