On Tue, 18 Nov 2025 09:55:56 +1100, Andrew Rowley <[email protected]> wrote:
There's a common but erroneous perception that doing it yourself is safer. That's why people perceive driving to be safer than flying. That's why when you have had a couple of beers you are perfectly confident of your driving, but when your friend has had a couple of beers his driving makes you nervous. You're not only at risk from the possible malice of your in-house CA administrator, but also from his innocent errors. Has s/he had specialized training in PKI best practices? Charles >You're right, there are some circumstances where you might need your own >CA. Military and government are good examples. But I'm not convinced >that there are many large organizations who could set something up that >was more secure in practice than e.g. Let's Encrypt or other commonly >used CAs. > >Also, the security of having your own CA doesn't come from adding your >own CA. It comes from removing trust from all other CAs from all your >clients. That's going to break a lot of stuff. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
