Re: One nasty habit Google employees have
>you can set up your own internal self-signed private CA and ignore these policies used by public CAs.
This proposal is by the CA/Browser forum.
They don't write standards that bind any CA public or private.
They write standards that the Browsers will throw warnings when a cert issued by any CA doesn't meet their standards.
Have fun with the InfoSec training explaining when end users should accept the security risk and when they shouldn't.
Hey, I'm all over ADCS Autoenrollment (oh wait, our InfoSec group doesn't allow that and require manual requests (which I have scripted) followed by an email (scripted) for them to manually release (which once they do scripts complete the process...))
And I'm all over Let's Encrypt (same InfoSec group basically blew milk out their nose and scrambled trying to explain how it doesn't meet corporate standards for being a well-reputed commercial CA).
But even with that automation, I'm still left with situations such as:
-- Devs who claim their applications can't Intermediate / Root certs to validate and have to pin the public the certs;
-- Admins who claim likewise (really your six-figure Application Gateways can't possibly deal with certificate chains and need to pin a public cert?)
-- Federated organizations which don't check for SAML metadata updates and need to manually coordinate updating SAML signing certificates