This is literally "go fuck yourself" advice.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 16:40:27 GMT

c0dec0dec0de@hachyderm.io — Sat, 09 May 2026 16:40:27 GMT

@petrillic @ryanc @viq oh. Oh, shit.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 16:26:09 GMT

petrillic@hachyderm.io — Sat, 09 May 2026 16:26:09 GMT

@ryanc @viq somehow this never quite clicked this way before. This is a great description.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 10:29:46 GMT

viq@social.hackerspace.pl — Sat, 09 May 2026 10:29:46 GMT

@ryanc @petrillic ah, thank you.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 06:35:37 GMT

http_error_418@hachyderm.io — Sat, 09 May 2026 06:35:37 GMT

@glyph @keithzg @petrillic @ryanc this feels like the words of someone who dumped his ex after finding out she was literally a demon from hell... every so often he thinks of the amazing sex and is halfway to dialling her number before he remembers the claw marks, the ichor, and the creeping, gibbering madness

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 06:25:10 GMT

ryanc@infosec.exchange — Sat, 09 May 2026 06:25:10 GMT

@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 04:35:14 GMT

keithzg@fediverse.keithzg.ca — Sat, 09 May 2026 04:35:14 GMT

@glyph @petrillic @ryanc It's been in operation a few years at work and It's Fine for our purposes but we're certainly not dynamically provisioning services or any such thing, it's *purely* for "make this host trusted for HTTPS purposes" and those hosts are few and static. And I definitely landed on just doing it with a few manual `openssl` calls and a convenience script or two after surveying the more fully-featured run-your-own-CA software options out there, laughing nervously, and then quickly shutting the door.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 03:16:14 GMT

fuzzyfuzzyfungus@cyberplace.social — Sat, 09 May 2026 03:16:14 GMT

@petrillic It may be a pain; but at least there are a variety of somewhat non-obvious ways to make it actively dangerous without noticing. What's not to like?

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 01:41:17 GMT

glyph@mastodon.social — Sat, 09 May 2026 01:41:17 GMT

@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 00:43:19 GMT

glyph@mastodon.social — Sat, 09 May 2026 00:43:19 GMT

@keithzg @petrillic @ryanc yeah everybody who eventually goes through the “find out” phase initially feels like this about operating a CA

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 00:38:51 GMT

keithzg@fediverse.keithzg.ca — Sat, 09 May 2026 00:38:51 GMT

@glyph @ryanc @petrillic I find running our own CA at my work easy enough, but the scale is verrrry small and frankly I'm probably skipping a lot of steps that "real" CAs wouldn't

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 00:21:19 GMT

glyph@mastodon.social — Sat, 09 May 2026 00:21:19 GMT

@ryanc @petrillic as you mentioned in the replies, acme-dns for lan addresses is *almost* reasonable (I also do it, it’s… fine… I am sympathetic to the OP’s desire for more reasonable treatment of .local but I have unironically recommended it to people who have been more or less satisfied with it) but running your own CA is advice from people who have only daydreamed about operating PKI infrastructure.

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 00:14:26 GMT

viq@social.hackerspace.pl — Sat, 09 May 2026 00:14:26 GMT

@ryanc @petrillic I clearly don't know enough. What are some of the reasons for "if you hate yourself"?

Reply to This is literally "go fuck yourself" advice. on Sat, 09 May 2026 00:02:40 GMT

petrillic@hachyderm.io — Sat, 09 May 2026 00:02:40 GMT

@ryanc yourself, and everyone who comes after you.

Whew Choices.

Reply to This is literally "go fuck yourself" advice. on Fri, 08 May 2026 23:56:34 GMT

ryanc@infosec.exchange — Fri, 08 May 2026 23:56:34 GMT

@petrillic when I was interviewing for my current job, it was relevant, so I told the guy who was interviewing me "...and you could use mTLS, if you hate yourself", and from that point on we were just casually chatting.

Reply to This is literally "go fuck yourself" advice. on Fri, 08 May 2026 23:53:40 GMT

petrillic@hachyderm.io — Fri, 08 May 2026 23:53:40 GMT

@ryanc this is the kind way to view mTLS

Reply to This is literally "go fuck yourself" advice. on Fri, 08 May 2026 23:51:37 GMT

ryanc@infosec.exchange — Fri, 08 May 2026 23:51:37 GMT

@petrillic I ran a CA for my previous employer, I learned a lot, for example, fuck mTLS.

Reply to This is literally "go fuck yourself" advice. on Fri, 08 May 2026 23:47:11 GMT

owen@mastodon.transneptune.net — Fri, 08 May 2026 23:47:11 GMT

@petrillic It _deeply_ is. I ran a small CA for my own services for a while, and it was a constant thorn in my side. I can't imagine trying to persuade visitors to use it or trying to get some kid's Switch to accept those certs, nor would I want to leave them with the wreckage afterwards.

Reply to This is literally "go fuck yourself" advice. on Fri, 08 May 2026 23:42:17 GMT

petrillic@hachyderm.io — Fri, 08 May 2026 23:42:17 GMT

I have, quite literally, written a bunch of code that (at least used to be) is part of a major commercial CA product.

You do not want to do this.

Unless you hate yourself. Deeply.