Re: Trivial change in Public Cert behaviour coming soon

[Grant Taylor via NANOG <nanog () lists nanog org>]

On 5/23/25 8:53 PM, John Levine via NANOG wrote:
> The point of a private CA is that you know the people whose certificates 
> you're signing.

Yes, it is obvious that is the point of a private CA.

But you seem to have misunderstood my (non-hypothetical) example.

Consider a web server that is serving up web pages to random people on 
the Internet completely unaffiliated / unassociated / unknown to the 
server;  e.g. to you and your family.  To be able to serve pages over 
HTTPS to them, a TLS certificate from a public CA that they trust MUST 
be used.

Now assume, for the sake of discussion, that you have multiple such 
servers and they want to use mTLS to authenticate their identities to 
each other.  --  Maybe it's for SMTP, or IKE, or VoIP, or....

Solution 1 is to re-use the existing TLS certificate & key that they 
already have for mTLS.

Solution 2 is to have separate certificates used for mTLS.

You seem to be advocating for solution 2 with the added complexity of a 
private CA.

Solution 2 (or worse if private CA) involves additional configuration, 
additional complexity, additional certificates & keys to secure, and 
additional things to break.

People are often advised to avoid running their own private CA for some 
good security reasons.

So I maintain that Occam's Razor / Parsimony suggest that solution 1 be 
used as it's both simpler and has fewer components.



--
Grant. . . .
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/J2EUMEZPCRFUNWXLYNVL5U4YTN6JXM5D/