undefined | Better HN

0 pointsfiresteelrain1y ago0 comments

If the root CA is in a place that is inaccessible then there are no CRLs to check against for example. Root CA may exist outside of the airgapped env. Especially if the root CA is one that produces self signed certs. You are back to insecure TLS

0 comments

orf1y ago

None of this makes any sense.

A lack of CRL doesn’t make TLS insecure.

A root doesn’t produce “self-signed certificates”. That especially doesn’t make any sense. What do you think the “self” references in “self-signed” certificate?

Add the root to your trust store, if you trust it, and you’re done.

What’s more concerning is someone working on (assumingly) secure, sensitive, air-gapped networks knows this little about TLS?

j / k navigate · click thread line to collapse