The same way you know if you should trust the WebPKI Rube-Goldberg-contraption: ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		octoberfranklin 4 months ago \| parent \| context \| favorite \| on: Let's Not Encrypt (2019) The same way you know if you should trust the WebPKI Rube-Goldberg-contraption: you don't. It's a counterexample, not a recommendation. If you need this guarantee, use self-certifying hostnames like Tor *.onion sites do, where the URL carries the public key. More examples of this: https://codeberg.org/amjoseph/not-your-keys-not-your-name

akerl_ 4 months ago [–]

I trust the WebPKI infra quite a bit. Cert validation is publicly logged, CAs that do nefarious things get booted from browser trust stores.

I can set which CAs can sign certs for my domains, and monitor if any are issued that I didn't expect.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact