Stuff like this is why I consider giving people a CA how to akin to a loaded gun. They almost invariably are not going to securely store the keys properly, set up CRLs, or manage their PKI in a safe manner.
Some of us are aware of the risks and choose to accept them. Last week I tried to analyze HTTPS traffic on my Linux machine using MITM to check what some programs were sending back home, but omg, it was a pain, I also partially failed. Some apps just ignore system certs and use their own. Tools like mitmproxy help (docs are lacking btw). I paid for both the devices and the software, shouldn't I be able to take a peek at what they are doing?
I certainly wouldn’t trust myself. Now if I could import a root cert and specify what domains to trust that would be another thing, and it seems browsers are starting to pay attention to name constraints which has not taken 20 odd years.
I’d rather be able to further constraint at the cert store though.
Doesn't matter. PKI for https is a solution in search of a problem.
In reality all it does is just validate domain name ownership, something that could have more easily been done with DKIM keys. We don't need certificate authorities.
Probably not much to say other than all of our current takes are based on a half-finished system originally designed for telephone and X.500 (DAP+LDAP && GoBlue) standards. Pretty new to me, after 25+ years ;), and the x509v3 things I kept using in openssl finally made some sense, see
https://en.m.wikipedia.org/wiki/X.500 and especially the "The relationship of the X.500 Directory and X.509v3 digital certificates" which say that web servers/commerce was crafted on a system which didn't support remote directories and needed something local, hence the CAs and CA stores. Copied here for reference:
"The current use of X.509v3 certificates outside the Directory structure loaded directly into web browsers was necessary for e-commerce to develop by allowing for secure web based (SSL/TLS) communications which did not require the X.500 directory as a source of digital certificates as originally conceived in X.500 (1988). One should contrast the role of X.500 and X.509 to understand their relationship in that X.509 was designed to be the secure access method for updating X.500 before the WWW, but when web browsers became popular there needed to be a simple method of encrypting connections on the transport layer to web sites. Hence the trusted root certificates for supported certificate authorities were pre loaded into certificate storage areas on the personal computer or device."