For services that are not meant to be accessible by generic clients but that are instead bound to a specific client, then I think the best practice is to avoid the use of a public CA altogether, and rely on a private CA pinned in the client. This removes the (possibly-not-)trusted third party from the game and this is what many smartphone apps are doing, as they're the only consumer clients. The downside is of course the burden of properly maintaining a CA.
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895714 Title: Investigate and remove CA pinning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1895714/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
