<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Yeah, self-signed certs are absolutely useful - you just need to be
very careful which ones you trust for what.<br>
<div class="moz-forward-container">
<p>Such certs are widely used to provide trust anchor information,
typically of root CAs,<br>
but conceptually and pragmatically, as Jordan also stated below,
<br>
they can make much sense even for end entities, such as locally
known and trusted servers or email users.<br>
</p>
<p>I spent quite some effort to get their (optional) acceptance
re-enabled in Thunderbird:<br>
<a moz-do-not-send="true"
href="https://bugzilla.mozilla.org/show_bug.cgi?id=1523130">https://bugzilla.mozilla.org/show_bug.cgi?id=1523130</a><br>
but even one of their security(?) experts did not get my point
and refused support.</p>
<p> David<br>
</p>
<div class="moz-cite-prefix">On 22.12.21 22:13, Jordan Brown
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0101017de3fd84bd-70c0c8db-9af8-49d3-99b3-d1c5af34f9a0-000000@us-west-2.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">On 12/22/2021 1:08 PM, Philip
Prindeville wrote:<br>
</div>
<blockquote type="cite"
cite="mid:87ABB53E-E21F-436C-9DDA-27542BFFF5AF@redfish-solutions.com">
<pre class="moz-quote-pre" wrap="">I see there being limited application (utility) of self-signed certs, since they're pretty much useless from a security perspective, because they're unanchored in any root-of-trust.</pre>
</blockquote>
<br>
They're OK once you take a leap of faith, check the fingerprint,
or copy the certificate out of band.<br>
<br>
In some senses they are *better* than a CA-based cert, because
once established they are not vulnerable to CA compromise.<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</blockquote>
</div>
</body>
</html>