This is literally "go fuck yourself" advice.
-
RE: https://mastodon.transneptune.net/@owen/116541558564007666
This is literally "go fuck yourself" advice.
@petrillic It _deeply_ is. I ran a small CA for my own services for a while, and it was a constant thorn in my side. I can't imagine trying to persuade visitors to use it or trying to get some kid's Switch to accept those certs, nor would I want to leave them with the wreckage afterwards.
-
I have, quite literally, written a bunch of code that (at least used to be) is part of a major commercial CA product.
You do not want to do this.
Unless you hate yourself. Deeply.
@petrillic I ran a CA for my previous employer, I learned a lot, for example, fuck mTLS.
-
@petrillic I ran a CA for my previous employer, I learned a lot, for example, fuck mTLS.
@ryanc this is the kind way to view mTLS
-
@ryanc this is the kind way to view mTLS
@petrillic when I was interviewing for my current job, it was relevant, so I told the guy who was interviewing me "...and you could use mTLS, if you hate yourself", and from that point on we were just casually chatting.
-
@petrillic when I was interviewing for my current job, it was relevant, so I told the guy who was interviewing me "...and you could use mTLS, if you hate yourself", and from that point on we were just casually chatting.
@ryanc yourself, and everyone who comes after you.
Whew
Choices. -
@petrillic when I was interviewing for my current job, it was relevant, so I told the guy who was interviewing me "...and you could use mTLS, if you hate yourself", and from that point on we were just casually chatting.
@ryanc @petrillic I clearly don't know enough. What are some of the reasons for "if you hate yourself"?
-
@petrillic I ran a CA for my previous employer, I learned a lot, for example, fuck mTLS.
@ryanc @petrillic as you mentioned in the replies, acme-dns for lan addresses is *almost* reasonable (I also do it, it’s… fine… I am sympathetic to the OP’s desire for more reasonable treatment of .local but I have unironically recommended it to people who have been more or less satisfied with it) but running your own CA is advice from people who have only daydreamed about operating PKI infrastructure.
-
@ryanc @petrillic as you mentioned in the replies, acme-dns for lan addresses is *almost* reasonable (I also do it, it’s… fine… I am sympathetic to the OP’s desire for more reasonable treatment of .local but I have unironically recommended it to people who have been more or less satisfied with it) but running your own CA is advice from people who have only daydreamed about operating PKI infrastructure.
@glyph @ryanc @petrillic I find running our own CA at my work easy enough, but the scale is verrrry small and frankly I'm probably skipping a lot of steps that "real" CAs wouldn't -
@glyph @ryanc @petrillic I find running our own CA at my work easy enough, but the scale is verrrry small and frankly I'm probably skipping a lot of steps that "real" CAs wouldn't
@keithzg @petrillic @ryanc yeah everybody who eventually goes through the “find out” phase initially feels like this about operating a CA
-
@keithzg @petrillic @ryanc yeah everybody who eventually goes through the “find out” phase initially feels like this about operating a CA
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
-
RE: https://mastodon.transneptune.net/@owen/116541558564007666
This is literally "go fuck yourself" advice.
@petrillic It may be a pain; but at least there are a variety of somewhat non-obvious ways to make it actively dangerous without noticing. What's not to like?
-
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
@glyph @petrillic @ryanc It's been in operation a few years at work and It's Fine
for our purposes but we're certainly not dynamically provisioning services or any such thing, it's *purely* for "make this host trusted for HTTPS purposes" and those hosts are few and static. And I definitely landed on just doing it with a few manual `openssl` calls and a convenience script or two after surveying the more fully-featured run-your-own-CA software options out there, laughing nervously, and then quickly shutting the door.
-
@ryanc @petrillic I clearly don't know enough. What are some of the reasons for "if you hate yourself"?
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
-
R relay@relay.infosec.exchange shared this topic
-
@keithzg @petrillic @ryanc citation: I once wrote a tool that made every user an mTLS CA in a complex dynamic trust mesh and in my darker moments I still think … maybe it could work …
@glyph @keithzg @petrillic @ryanc this feels like the words of someone who dumped his ex after finding out she was literally a demon from hell... every so often he thinks of the amazing sex and is halfway to dialling her number before he remembers the claw marks, the ichor, and the creeping, gibbering madness
-
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
@ryanc @petrillic ah, thank you.
-
@viq @petrillic since revocation doesn't work worth shit, they're basically bearer tokens with extra steps
-
@petrillic @ryanc @viq oh. Oh, shit.
