bhauman 2020-06-12T00:42:58.262200Z

Actually I think I see a better safer easier way

bhauman 2020-06-12T01:06:10.264Z

make/cache self-signed certificates in users home directory, hash them on their domains/ips for reuse, automate trust installation

bhauman 2020-06-12T01:07:26.265Z

This prevents them from being used for any domains other than the domains specified in the certificate

bhauman 2020-06-12T01:08:32.266200Z

furthermore you could have the tool restrict which domains can be created for security reasons

pyrmont 2020-06-12T02:00:28.267300Z

Certifiable is a great name, by the way :)

dominicm 2020-06-12T07:13:58.267500Z

Wouldn't an attacker just replace the file in the user's home directory? If trust installation is automated.

bhauman 2020-06-12T14:31:46.268900Z

@dominicm not that automated 🙂 when you create the certificate you are queried wether to install it

bhauman 2020-06-12T19:59:12.271800Z

@dominicm I think I figured it out finally

bhauman 2020-06-12T19:59:25.272Z

its kinda obvious

bhauman 2020-06-12T19:59:31.272200Z

delete the keys

bhauman 2020-06-12T20:00:12.272800Z

folks can trust a root that has no keys

bhauman 2020-06-12T20:00:30.273200Z

and the leaf certificate keys can’t be used to sign any new certs

bhauman 2020-06-12T20:01:51.274400Z

then cache based on the domains, ips to eliminate asking for trust over and over

dominicm 2020-06-12T20:06:02.274700Z

Interesting, a tool can even go one step further: never write the priv keys to disk. Keep in memory.

bhauman 2020-06-12T20:20:30.275200Z

@dominicm food for thought

dominicm 2020-06-12T20:29:32.275500Z

I'll be honest, I still don't entirely understand the use-case of hitting up localhost with ssl.