|
|
|
|
|
|
by nybble41
1618 days ago
|
|
|
> If there's consensus that for some domain, certificates don't actually mean anything, because anyone can get a CA to issue it, there should also be consensus to accept self-signed certificates for that domain. Or my preferred hybrid approach: use a self-signed certificate and include the fingerprint (base32-encoded) in the domain name. The browser would recognize this pattern and accept the certificate, for that one domain, because it already meets all the requirements for domain validation. Discovery remains an issue–we need browsers to list the local mDNS services—but once you have the URL you can bookmark it and know that no other device can impersonate that domain/certificate combination. |
|
|