I mean you have to do that with https now if you don't go with one of the big guys? How is that any more dangerous to the end user than just going to an http site that they don't know personally? The risks are the same as far as malware.
>How is that any more dangerous to the end user than just going to an http site that they don't know personally?
Installing a random root cert to your trust store is a very dangerous thing to do but you're looking at this from the wrong end. I'm not talking about the dangers of a random user installing a random TLS root cert from me I send them over, what, email? That's just not going to happen. It shouldn't happen.
I'm talking about the ability for human persons to host visitable websites without corporate oversight and control. With HTTP/1.1 I can just host a website from my IP and it's good. Anyone can visit. With HTTP/3 before anyone can visit my website I first have to go ask permission every ~90 days from a third party corporation. And if I piss them off (or people who put pressure on them in certain political regions), say by hosting a pdf copy of a scientific journal article, or a list of local abortion clinics, they can revoke my ability to host a visitable website.
With HTTP/3, as a human person, the cure is worse than the "disease".
I think they meant, can't a visitor just ignore that your cert is self-signed and view the page anyway, _without_ adding it to the trust store. Firefox, at least, has this as the default "ignore the cert error" action.
Setting up a root cert in a trust store and accepting a non-root self-sign cert are very different things.
That said, "can't a visitor just ignore that your cert is self-signed and view the page anyway,"
No. They cannot. Not when it's HTTP/3. Even if the browser ostensibly supports it the HTTP/3 connection will fail because the HTTP/3 lib Firefox uses does not allow it.
Would that actually help your cause, since it would push people to build and distribute their own user agents which accepts self-signed certs/CA in a user-driven community without big corp oversight?
You'd have to get all the major browsers to trust that CA, it's not possible to do that without "corporate oversight".
That's the point the other poster is making, it adds a new level of control that becomes the de facto only way to do things if http 1.1 ever gets deprecated.
I have no opinion on the likelihood of any such deprecation but I fully understand the concern.
Thats mainly a problem with the browsers, no? Not saying it isn't an issue, obviously the big ones are going to drive a lot of this technology, but you could still use something like curl or whatever.
