Author: Evgeniy Berdnikov Date: To: exim-users Subject: Re: [exim] Something like "domains_require_tls"
On Wed, Mar 29, 2023 at 06:59:42PM +0000, Slavko via Exim-users wrote: > Why in hell the certificate signed by same (anonymous for me)
> group (understand CA) is considered as secure, but certificate
> signed by my own CA is not ? Only because someone (anonymous
> for me again) decided that these "public" CA are "good" and added
> to list of system's CAs... And what are these "root CAs"? They are
> the same self-signed certs as anyone other can generate.
One can generate self-signed certs, paying 2 cents, but you can't generate
trust for such amount of money. Trust to public CAs can be measured by cost
of related risks and business, starting from hundreds of thousands dollars.
> How do you can know, that these "public CAs" did not sign rogue
> certificate? (search net to examples)
Such questions are pointless while cost of your data is less then cost of
trust to public CAs. Nobody wants to sign "rogue cert" for your 2 cents.
If you don't trust public CAs, use your own for peer-to-peer communication.
But you can't force other people to change their minds, leasing 2 cents.
--
Eugene Berdnikov