Comment by akira2501

Comment by akira2501 2 days ago

0 replies

View on Hacker News

> Most people would click trust and get MITM'ed

So accept self signed on first connection with a detailed panel showing the certificate fingerprint. Then after that require a more involved process to accept a new certificate.

> do you really maintain every certificate both on it's application and on everything which needs to connect to it?

These are client certificates, and in some cases, they're actually pretty awesome.

> than signing all your PKI with an internal CA

That's a single layer of abstraction away from a self signed certificate, because, your CA _is_ a self signed certificate in this scenario. You've taken any defense in depth and thrown it right out the window.

The purpose of software is to make things possible not enforce random pedantry.