[Discuss] [BLU/Officers] update instructions for key signing

[Bill Ricker]

On Mon, Sep 17, 2018, 11:27 Dan Ritter <dsr at randomstring.org> wrote:

> > Since my browser now flags non-https sites as "Unsecure," I'd like to
> know
> > how to generate a key to put in my Apache setup which will swing the
> > padlocks shut. I know that it won't be "valid" unless I import the key
> into
> > my browser, but that's a one-time effort and will stop the "unsecure"
> > messages when I ask people to visit my websites.
> >
> > Also, if possible, I'd like to be able to pass out keys for users to use
> in
> > lieu of passwords to access secured areas.
> >
> > Please tell me how to go about that, and thanks in advance.
>
> The easiest and best thing to do is to get SSL certs from Let's
> Encrypt.
>
> Everything else is worse and harder.
>

Correct. Even the US DOD is getting away from self signed certs that have
to be injected or accepted, because that trains users to be too trusting.

The only valid use case for DIY webserver certs are
(a) internal alphatest/Qa sites, which will then scream holy murder if prod
traffic gets misrouted to them;
 (b) closed intranet (no BYOD allowed) where one IT org controls both the
desktops and the webservers, and you install the Corp private selfsigned CA
key into IT release of IE/Edge, FF, Chrome.

Yes, it is in theory possible to distribute keys to authenticate a browser
to the webserver.
Browser side user certs can be useful in a DIY 2FA scheme but I'd not
recommend it as 1FA !!
This may seem like a good idea but doesn't really do what one usually
wants; it turns just their phone or laptop into a large losable 1FA dongle.
Possibly safe only if you control their password and screensaver policy.

>