Re: [exim] Something like "domains_require_tls"

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Evgeniy Berdnikov
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Something like "domains_require_tls"
On Wed, Mar 29, 2023 at 06:59:42PM +0000, Slavko via Exim-users wrote:
> Why in hell the certificate signed by same (anonymous for me)
> group (understand CA) is considered as secure, but certificate
> signed by my own CA is not ? Only because someone (anonymous
> for me again) decided that these "public" CA are "good" and added
> to list of system's CAs... And what are these "root CAs"? They are
> the same self-signed certs as anyone other can generate.


One can generate self-signed certs, paying 2 cents, but you can't generate
trust for such amount of money. Trust to public CAs can be measured by cost
of related risks and business, starting from hundreds of thousands dollars.

> How do you can know, that these "public CAs" did not sign rogue
> certificate? (search net to examples)


Such questions are pointless while cost of your data is less then cost of
trust to public CAs. Nobody wants to sign "rogue cert" for your 2 cents.

If you don't trust public CAs, use your own for peer-to-peer communication.
But you can't force other people to change their minds, leasing 2 cents.
--
Eugene Berdnikov