All the more reason you wouldn't let a third party CA sign certificates for your bank. Seriously, this is and has always been the weakest point of PKI. We have known instances of bad google.com certificates in the wild, as well as certificates being backdated to meet hash requirements.
An internal CA is simply not the problem here, particularly since you can audit your admins' actions.
>> [..] Yes, every company should have an internal trusted CA. I have no idea why there are people arguing against that.
> An internal CA is simply not the problem here, particularly since you can audit your admins' actions.
If you can properly audit your admins' actions, then that's indeed not a problem.
It's easier said than done; I just tried to mention a few reasons why a lot of people suggest (IMHO rightfully so) that perhaps it's not something just about every company should do.
In particular, it's you don't just have to ensure that the CA is properly defended from outside threats only.
Before letsencrypt we didn't have any choice, but now the landscape is really different and in many cases I believe a company could easily defer dealing with an internal CA, especially after https://letsencrypt.org/2017/07/06/wildcard-certificates-com...
FWIW, certificate pinning (HPKP) and efforts like Certificate Transparency are attempts to address or at least mitigate weaknesses of the PKI system.
OK but if I can't audit my own sysadmin's actions how in the WORLD am I going to audit the actions of the sysadmins of the 150+ organizations that my distro has decided can be trusted to sign certificates for any domain? I still fail to see where a third-party CA brings any value whatsoever here.
