> If they had an actual root CA with a private key, that private key could be co...

varenc · on Nov 2, 2017

Yes, that's the ideal case...

But what do you want to do more?

1) Trust some company to keep a very important private key secure for a long time? (with attackers knowing it's a single high-value target)

2) Or be confident that the private key was used once and destroyed forever? Even if the private key generated on your device could be recovered it would only be good for an attack against you making it a lower priority to attackers.

dec0dedab0de · on Nov 3, 2017

Or be confident that the private key was used once and destroyed forever? Even if the private key generated on your device could be recovered it would only be good for an attack against you making it a lower priority to attackers.

Doing it that way completely undermines the reason for having a cert in the first place. You might as well not have one at all.

usrusr · on Nov 3, 2017

The difference is that with the on the fly cert, you blindly trust one piece of code, at one point in time, and when it did not lie to you then you will be safe from it later. A conventional cert owner on the other hand could theoretically turn on you any time (e.g. when ownership multiplies into pwnership) once "automatic trust" for the next binary is established.

I'd still prefer the latter, given reasonable standards in terms of key handling, but the one-time trust is not completely without merit. It would certainly be more reasonable though to just allow one-time blind trust without forcing the installer to create a certificate that may or may not be as private as advertised.

ComodoHacker · on Nov 3, 2017

There's a difference. With auto-generated root certs you can't just steal one private key, sign your malware with it and push it to all users of the original software.