Re: Do you trust Let's Encrypt?

Tue, 18 Nov 2025 05:16:22 -0800 

Wow ... this is good stuff.
>   There's a common but erroneous perception that doing it yourself is safer. That's why people perceive driving to be safer than flying. 

Okay ... balance that.

It's true that "doing it yourself" is not necessarily safer (good 
analogy w/r/t driving and beer), and with respect to code (should you 
write the app or buy it?), not necessarily better.



But I have to point out that retaining your own data (keeping your 
cookies in-house) is wise.
Context is everything: When I was with Voltage Security (whose MVS 
product is their best, by the way) I saw customers putting some data 
into "the cloud". As long as it was protected (encrypted) BEFORE it was 
sent off-site, fine. But some customers didn't see the line and would 
also put the KEYS (or key server or trust anchor) off-site too. Danger, 
Will Robinson!


So ... remember both sides of the coin.

This is some good conversation.


-- R; <><



On 11/17/25 6:18 PM, Charles Mills wrote:

On Tue, 18 Nov 2025 09:55:56 +1100, Andrew Rowley 
<[email protected]> wrote:

There's a common but erroneous perception that doing it yourself is safer. 
That's why people perceive driving to be safer than flying.

That's why when you have had a couple of beers you are perfectly confident of 
your driving, but when your friend has had a couple of beers his driving makes 
you nervous.

You're not only at risk from the possible malice of your in-house CA 
administrator, but also from his innocent errors. Has s/he had specialized 
training in PKI best practices?

Charles


You're right, there are some circumstances where you might need your own
CA. Military and government are good examples. But I'm not convinced
that there are many large organizations who could set something up that
was more secure in practice than e.g. Let's Encrypt or other commonly
used CAs.

Also, the security of having your own CA doesn't come from adding your
own CA. It comes from removing trust from all other CAs from all your
clients. That's going to break a lot of stuff.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN


--
-- R; <><

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to