This is literally "go fuck yourself" advice.
-
@petrillic I ran a CA for my previous employer, I learned a lot, for example, fuck mTLS.
@ryanc @petrillic as you mentioned in the replies, acme-dns for lan addresses is *almost* reasonable (I also do it, it’s… fine… I am sympathetic to the OP’s desire for more reasonable treatment of .local but I have unironically recommended it to people who have been more or less satisfied with it) but running your own CA is advice from people who have only daydreamed about operating PKI infrastructure.
-
@ryanc @petrillic as you mentioned in the replies, acme-dns for lan addresses is *almost* reasonable (I also do it, it’s… fine… I am sympathetic to the OP’s desire for more reasonable treatment of .local but I have unironically recommended it to people who have been more or less satisfied with it) but running your own CA is advice from people who have only daydreamed about operating PKI infrastructure.
@glyph @ryanc @petrillic I find running our own CA at my work easy enough, but the scale is verrrry small and frankly I'm probably skipping a lot of steps that "real" CAs wouldn't -
@glyph @ryanc @petrillic I find running our own CA at my work easy enough, but the scale is verrrry small and frankly I'm probably skipping a lot of steps that "real" CAs wouldn't
@keithzg @petrillic @ryanc yeah everybody who eventually goes through the “find out” phase initially feels like this about operating a CA
-
@keithzg @petrillic @ryanc yeah everybody who eventually goes through the “find out” phase initially feels like this about operating a CA
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
-
RE: https://mastodon.transneptune.net/@owen/116541558564007666
This is literally "go fuck yourself" advice.
@petrillic It may be a pain; but at least there are a variety of somewhat non-obvious ways to make it actively dangerous without noticing. What's not to like?
-
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
@glyph @petrillic @ryanc It's been in operation a few years at work and It's Fine
for our purposes but we're certainly not dynamically provisioning services or any such thing, it's *purely* for "make this host trusted for HTTPS purposes" and those hosts are few and static. And I definitely landed on just doing it with a few manual `openssl` calls and a convenience script or two after surveying the more fully-featured run-your-own-CA software options out there, laughing nervously, and then quickly shutting the door.
-
@ryanc @petrillic I clearly don't know enough. What are some of the reasons for "if you hate yourself"?
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
-
R relay@relay.infosec.exchange shared this topic
-
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
@glyph @keithzg @petrillic @ryanc this feels like the words of someone who dumped his ex after finding out she was literally a demon from hell... every so often he thinks of the amazing sex and is halfway to dialling her number before he remembers the claw marks, the ichor, and the creeping, gibbering madness
-
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
@ryanc @petrillic ah, thank you.
-
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
-
@petrillic @ryanc @viq oh. Oh, shit.
