top | item 47069762

(no title)

sebiw | 11 days ago

> It's not that much work to trust my root certificate on each device

Sure, but is trusting your homebrewed CA on all your devices for essentially everything really a good idea?

When your homebrewed CA somehow gets compromised, all your devices are effectively compromised and not only for local connections, but everything that uses PKIX.

discuss

NewJazz|11 days ago

Name constraints

https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...

8organicbits|11 days ago

Make sure all the TLS clients you use have support for name constraints. When I evaluated this in 2023, Chrome was in the process of adding support. I'd love to see a caniuse style analysis of TLS features, people assume they work but support varies.