[Discuss] Delivering mail to folders

Edward Ned Harvey (blu) blu at nedharvey.com
Tue Feb 2 07:57:46 EST 2016


The important characteristic is whether or not the CA root private key is ever exposed to any servers or clients. For example, if you used a self-signed cert (no separate CA) on a server, that server requires the CA root private key in order to serve webpages, and if you installed that cert into the CA root trust store of your clients, then if the server gets compromised, the attacker can impersonate literally any domain on any server, completely undermining your entire SSL/TLS infrastructure, with the ability to MITM attack every connection.

If you generate a CA, keep its private key private, and use it to sign a separate server cert, then if the server gets compromised, the worst the attacker can do is malicious things with the compromised server.



More information about the Discuss mailing list