Comment by stephenmac98

> Most people would click trust and get MITM'ed

So accept self signed on first connection with a detailed panel showing the certificate fingerprint. Then after that require a more involved process to accept a new certificate.

> do you really maintain every certificate both on it's application and on everything which needs to connect to it?

These are client certificates, and in some cases, they're actually pretty awesome.

> than signing all your PKI with an internal CA

That's a single layer of abstraction away from a self signed certificate, because, your CA _is_ a self signed certificate in this scenario. You've taken any defense in depth and thrown it right out the window.

The purpose of software is to make things possible not enforce random pedantry.

>"This is good enough because I don't expect anyone other than me will use it" is lazy

is both a mischaracterisation of the argument, and wrong. It's not lazy, it's a choice with pros and cons. Just because you don't like it does not mean it is lazy. Again, issuing your own certificates is a choice.

Allowing self signed certificates does not "significant lower the bar". Did you know that all root certificates are self signed?

The management of multiple trusted certificates is basic administration for large private networks. Yes, TLS and certificate management can be complex, but that is not a good argument for disallowing it, and the idea that managing your own certificate trust is against "best practices" is ludicrous.