this post was submitted on 09 Aug 2023
48 points (96.2% liked)
Explain Like I'm Five
14263 readers
135 users here now
Simplifying Complexity, One Answer at a Time!
Rules
- Be respectful and inclusive.
- No harassment, hate speech, or trolling.
- Engage in constructive discussions.
- Share relevant content.
- Follow guidelines and moderators' instructions.
- Use appropriate language and tone.
- Report violations.
- Foster a continuous learning environment.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Signed by whom? The CA.
The CA is the certificate authority.
You can create your own CA and sign your own certs for free, but people would need to have your CA root cert in their browser for them to be able to trust your signed certs.
Let's Encrypt is a real CA bundled with browsers, and it signs free cert signing requests when specific criteria is met. This is done because TLS is an important privacy mechanism that works best if many certs are in use and not just a few wildcard certs.
Why not trust self-signed certs? Because there are no checks. When miicrosoft.com (the people who make the miis on your wii) gets a free cert signing from Let's Encrypt, its because the owner of miicrosoft.com proved that they owned the domain miicrosoft.com by means of a lets encrypt / acme challenge. When you create your own CA and sign your own certs you are beholden to your own rules. You could sign a free cert for microsoft.com (the people who make minecraft) but then you would also need to convince users to install your CA, and then you can steal their blocks and grief their builds.