| ▲ | JimBlackwood 3 days ago |
| I don't think it's absurd and personally it feels easier to setup an internal CA than some of the alternatives. In the hackiest of setups, it's a few commands to generate a CA and issue a wildcard certificate for everything. Then a single line in the bootstrap script or documentation for new devices to trust the CA and you're done. Going a few steps further, setting up something like Hashicorp Vault is not hard and regardless of org size; you need to do secret distribution somehow. |
|
| ▲ | lucb1e 3 days ago | parent | next [-] |
| > it's a few commands to generate a CA My dad still calls my terminals a "DOS window" and doesn't understand why I don't use GUIs like a normal person. He has his own business. He absolutely cannot just roll out a CA for secure comms with his local printer or whatever. He literally calls me to help with buying a PDF reader Myself, I'm employed at a small business and we're all as tech savvy as it gets. It took me several days to set it up on secure hardware (smartcard, figuring out compatibility and broken documentation), making sure I understand what all the options do and that it's secure for years to come and whatnot, working out what the procedure for issuing should be, etc. Eventually got it done, handed it over to the higher-up who gets to issue certs, distribute the CA cert to everyone... it's never used. We have a wiki page with TLS and SSH fingerprints |
| |
| ▲ | JimBlackwood 3 days ago | parent | next [-] | | > My dad still calls my terminals a "DOS window" and doesn't understand why I don't use GUIs like a normal person. He has his own business. He absolutely cannot just roll out a CA for secure comms with his local printer or whatever. He literally calls me to help with buying a PDF reader This is fair. I assumed all small businesses would be tech startups, haha. | |
| ▲ | Retric 3 days ago | parent | prev [-] | | The vast majority of companies operate just fine without understanding anything about building codes or vehicle repair etc. Paying experts (Ed: setting up internal infrastructure) is a perfectly viable option so the only real question is the amount of effort involved not if random people know how to do something. | | |
| ▲ | lucb1e 3 days ago | parent | next [-] | | Paying an expert to come set up a local CA seems rather silly when you'd normally outsource operating one to the people who professionally run a CA | | |
| ▲ | Retric 3 days ago | parent [-] | | You’d only need internal certificates if someone had set up internal infrastructure. Expecting that person to do a good job means having working certificates be they internal or external. |
| |
| ▲ | nilslindemann 3 days ago | parent | prev [-] | | > Paying experts is a perfectly viable option Congrats for securing your job by selling the free internet and your soul. | | |
| ▲ | Retric 3 days ago | parent [-] | | I’m not going to be doing this, but I care about knowledge being free not labor or infrastructure. If someone doesn’t want to learn then nobody needs to help them for free. | | |
|
|
|
|
| ▲ | disiplus 3 days ago | parent | prev | next [-] |
| We have this, it's not trivial for some small team, and you have to deal with stuff like conda env coming with it's own set of certs so you have to take care of that. It's better then the alternative of fighting with browsers but still it's not without extra complexity |
| |
| ▲ | JimBlackwood 3 days ago | parent [-] | | For sure, nothing is without extra complexity. But, to me, it feels like additional complexity for whoever does DevOps (where I think it should be) and takes away complexity from all other users. |
|
|
| ▲ | 3 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | msie 3 days ago | parent | prev [-] |
| Wow, amazing how out of touch this is. |
| |
| ▲ | JimBlackwood 3 days ago | parent [-] | | Can you explain? I don't see why | | |
| ▲ | Henchman21 3 days ago | parent [-] | | You seem to think every business is a tech startup and is staffed with competent engineers. Perhaps spend some time outside your bubble? I’ve read many of your comments and you just do seem to be caught in your own little world. “Out of touch” is apt and you should probably reflect on that at length. | | |
| ▲ | JimBlackwood 3 days ago | parent [-] | | > You seem to think every business is a tech startup and is staffed with competent engineers. If we’re talking about businesses hosting services on some intranet and concerned about TLS, then yes, I assume it’s either a tech company or they have at least one competent engineer to host these things. Why else would the question be relevant? > “Out of touch” is apt and you should probably reflect on that at length. That’s a very weird personal comment based on a few comments on a website that’s inside a tech savvy bubble. Most people here work in IT, so I talk as if most people here work in IT. If you’re a mechanic at a garage or a lawyer at a law firm, I wouldn’t tell you rolling your own CA is easy and just a few commands. | | |
| ▲ | Henchman21 2 days ago | parent [-] | | You know, your perspective is valuable; I often operate as if the context is “all people everywhere”, which is rarely true and is definitely not true here. So I will take the error as mine and thank you for pointing it out :) |
|
|
|
|
