At some point it makes sense to just let us use self signed certs. Nobody believes SSL is providing attestation anyways.

▲

woodruffw 10 hours ago | parent | next [-]

What does attestation mean in this context? The point of the Web PKI is to provide consistent cryptographic identity for online resources, not necessarily trustworthy ones.

(The classic problem with self-signed certs being that TOFU doesn’t scale to millions of users, particularly ones who don’t know what a certificate fingerprint is or what it means when it changes.)

▲

vimda 11 hours ago | parent | prev | next [-]

A lot corporate environments load their root cert and MITM you anyway

	▲	sgjohnson 8 minutes ago \| parent [-]
		A lot of applications implement cert pinning for this exact reason

▲

cpach 9 hours ago | parent | prev [-]

Then you might as well get rid of TLS altogether.

▲

jdsully 9 hours ago | parent [-]

You'd still want in transit encryption. There are other methods than centralized trust like fingerprinting to detect forgeries.

	▲	cpach 8 hours ago \| parent [-]
		Haven’t seen any such system that scales to billions of user.