Such certs are widely used to provide trust anchor information,
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even for end entities, such as locally
known and trusted servers or email users.
I spent quite some effort to get their (optional) acceptance
re-enabled in Thunderbird:
https://bugzilla.mozilla.org/show_bug.cgi?id=1523130
but even one of their security(?) experts did not get my point
and refused support.
David
On 22.12.21 22:13, Jordan Brown
wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since they're pretty much useless from a security perspective, because they're unanchored in any root-of-trust.
They're OK once you take a leap of faith, check the fingerprint, or copy the certificate out of band.
In some senses they are *better* than a CA-based cert, because once established they are not vulnerable to CA compromise.
-- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
