I’m not sure exactly what role in what sort of deployment pipeline you’re suggesting for ephemeral root certs here, and you may well have a solid handle on how to do this safely.
But one reason I might initially look at you with alarm if you suggest self-signing or symmetric keys as part of a solution in general is… while it might reduce the attack surface, attack surface is not the only thing to worry about. Another thing to consider is the ‘fuckup surface’ of a particular architecture.
And one problem that self managed key distribution strategies tend to run into is that they massively increase your fuckup surface. Losing the keys to everything can become a real danger.
I’m a big believer in building security systems that also reduce the blast radius of dumb errors (accidentally running rm -rf /* is harmless if you religiously run with least privilege).
Saying ‘I’m going to build my own trust root’ generally seems to me like it probably increases the blast radius.
But one reason I might initially look at you with alarm if you suggest self-signing or symmetric keys as part of a solution in general is… while it might reduce the attack surface, attack surface is not the only thing to worry about. Another thing to consider is the ‘fuckup surface’ of a particular architecture.
And one problem that self managed key distribution strategies tend to run into is that they massively increase your fuckup surface. Losing the keys to everything can become a real danger.
I’m a big believer in building security systems that also reduce the blast radius of dumb errors (accidentally running rm -rf /* is harmless if you religiously run with least privilege).
Saying ‘I’m going to build my own trust root’ generally seems to me like it probably increases the blast radius.