Trying to avoid belaboring that all root certificates are self-signed in #TLSMastery.
It's in there, sure. But I want to put it on every page. Along with screaming "CAs are a scam!"
@mwlucas while you are rightfully trouncing CAs, are you covering alternatives like DANE? Also do you cover being your own CA and the options for how to do it like setting up your own crl and ocsp server and ocsp stapling?
DANE is in the DNSSEC book. Probably doing a new rev of that next.
Your own CA is a possibility. Debating that. I really want this to be a shorter book.