Re: [exim] Something like "domains_require_tls"

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMViktor Dukhovni at <-
MMSlavko at ->
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] Something like "domains_require_tls"
On Wed, Mar 29, 2023 at 06:59:42PM +0000, Slavko via Exim-users wrote:
> Why in hell the certificate signed by same (anonymous for me)
> group (understand CA) is considered as secure, but certificate
> signed by my own CA is not ? Only because someone (anonymous
> for me again) decided that these "public" CA are "good" and added
> to list of system's CAs... And what are these "root CAs"? They are
> the same self-signed certs as anyone other can generate.

One can generate self-signed certs, paying 2 cents, but you can't generate
trust for such amount of money. Trust to public CAs can be measured by cost
of related risks and business, starting from hundreds of thousands dollars.

> How do you can know, that these "public CAs" did not sign rogue
> certificate? (search net to examples)

Such questions are pointless while cost of your data is less then cost of
trust to public CAs. Nobody wants to sign "rogue cert" for your 2 cents.

If you don't trust public CAs, use your own for peer-to-peer communication.
But you can't force other people to change their minds, leasing 2 cents.
--
Eugene Berdnikov

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Something like "domains_require_tls"Re: [exim] Something like "domains_require_tls"->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)