Christine Lemmer-WebberApr 22, 2025

So regarding the Bluesky check marks, they're basically the equivalent of TLS certificate authorities, and everyone agrees, yes?

But I see some "well someone could trust a different set of CAs so maybe it's kinda decentralized?"

Do you know anyone who installs custom certificate authorities in their browser?

Me neither.

Show threadChristine Lemmer-Webber

Yes, I know, corporations do this for internal things

Do you know a *person* who has chosen to do this

Apr 22, 2025 at 3:54pmWeb
Show threadMcNeelyApr 22, 2025
@cwebber after futzing with certs and a VPN for a client project Ican honestly say that I will never willingly do this for my own personal "fun"
Show threadtowoApr 22, 2025
@cwebber
I do this because mTLS for my personal infrastructure, but I'm definitely an outlier in that.
Show threadMVNDVS PATEATApr 22, 2025
@cwebber I use opennic dns, which is an alternate set of root servers with some fun additional tlds. Pretty much requires an alt CA too
Show threademApr 22, 2025

@cwebber I have!

For mitmproxy

Show threadCadenApr 22, 2025
@cwebber I only do this for self-signed certs when I can't use LetsEncrypt (i.e. I don't have a domain for it). Never heard of a person doing it for anything other than their own personal use
Show threadsee shy joApr 22, 2025
@cwebber yeah for a while around 2005, I had my own CA cert that I gpg signed and distributed (to approximately 0 people other than me) and used for my https
Show threadFoolishOwlApr 22, 2025
@cwebber I've only ever seen it suggested as an alternative to overriding browser settings to allow self-signed certificates. The override seems like a lot less work.
Show threadBen ZaninApr 22, 2025

@cwebber only homelab sysadmin weirdos who run internal-facing services and have strong feelings about preventing tampering & eavesdropping but relatively ambivalent feelings about endpoint identity verification.

(Which still nets about a half dozen people I know, but it is not a large demographic.)

Show threadJackson MostollerApr 22, 2025
@cwebber I think(?) Handshake (https://handshake.org/) is one example of a community of people who do this. There’s a few different options for resolving the domains (e.g. https://www.hdns.io/) that I used for a bit. In practice there’s a lot of classic speculative crypto activity, unfortunately (and the reliance of proof-of-work is a huge bummer), but I still think the idea of decentralizing naming and CAs is a cool one!
Handshake

Decentralized certificate authority and naming

Show threadDianeApr 22, 2025

@cwebber

Yes. I have 3 root certs I personally created loaded into my firefox profile.

Screenshot of the first one's validity period attached.

I acknowledge I am a giant weirdo.

Show threadRon NazarovApr 23, 2025
@cwebber Not in my web browser but I added the DN42 certificate authority to the system certificate store on one of my DN42 routers
Show threadPhilip Mallegol-HansenApr 24, 2025

@cwebber You know that person, assuming they exist, is right here on the fediverse.

Anywhere else though, you’d be right.