Have a self-signed CA certificate with a longish expiration and sign the actual ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		robryk on Oct 21, 2016 \| parent \| context \| favorite \| on: CA Comodo used broken OCR and issued certificates ... Have a self-signed CA certificate with a longish expiration and sign the actual keys the webservers use with that. Apply TOFU to that CA certificate (on a per-domain basis). There's IIRC no mechanism for that, but for the single-domain CA key it'd make sense to sign the new one with the old one.

45h34jh53k4j on Oct 21, 2016 [–]

TOFU is bad for the web. Its is much easier to MiTM https vs ssh. Many vendors will sell your enterprise kit to do it to all users.

There will be some jurisdictions where MiTM is always and unavoidable. TOFU can't work here.

These things must be universal, and TOFU can never be universal.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact