Yeah, self-signed certs are absolutely useful - you just need to be very
careful which ones you trust for what.
Such certs are widely used to provide trust anchor information,
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even for end entities, such as locally known
and trusted servers or email users.
I spent quite some effort to get their (optional) acceptance re-enabled
in Thunderbird:
https://bugzilla.mozilla.org/show_bug.cgi?id=1523130
<https://bugzilla.mozilla.org/show_bug.cgi?id=1523130>
but even one of their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since
they're pretty much useless from a security perspective, because they're
unanchored in any root-of-trust.
They're OK once you take a leap of faith, check the fingerprint, or
copy the certificate out of band.
In some senses they are *better* than a CA-based cert, because once
established they are not vulnerable to CA compromise.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
