On Mon, Mar 23, 2026 at 3:01 PM Alan DeKok <alan.dekok= [email protected]> wrote:
> On Mar 24, 2026, at 7:21 AM, Tomas Gustavsson < > [email protected]> wrote: > > > We should admit that the CA infrastructure has failed us for nearly > all use-cases. Either the CA infrastructure is the web, and (despite the > CA/B forum > > > rules) it's OK to use web certs in non-web contexts. Or, the CA > infrastructure is more than the web, and we need to have new,, non-web CAs > with rules > > > outside of the CA/B forum. > > > > There are tons of CAs outside of the WebPKI/CA/B Forum ecosystem. > > Where can I get a certificate for mail.example.com < > http://mail.example.com/> that is (a) trusted by end-user systems, and > (b) is limited to id-kp-This-Is-A-Mail-Server? > > What happens now is one of 3 things: > > 1) use a web cert, and lie to the CA/B forum about what you're using it > for. This (allegedly) means that they can revoke it at any point for > mis-use > > 2) use a private CA, and have everyone else on the Internet refuse to talk > to you, as your CA is unknown > > 3) don't use TLS. Regarding Item (2), wouldn't Trust on First Use (TOFU) work well? Remember, TLS is only intended to be about as secure as brick-and-mortar stores. It is not intended to be as secure as Fort Knox. The biggest threat in mail systems seems to be the mail operator reading your messages. That's the insider threat in brick-and-mortar stores, where employees are committing an equal amount of the theft as external customers. And who needs a CA anyways? All we need is a hostname and a public key. We don't need a CA to bind them. The hostname and public key information is presented in an end-entity certificate, so that's all we need. The self-signed certificate can be hosted in DNS and retrieved as required since that seems to be the modern equivalent to the X.500 directory. The world does not need to be adverse to self-signed certificates just because the CA/BF does not care for them. Jeff
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
