Link: Everything you should know about certificates and PKI but are too afraid to ask
Mike Malone's Everything you should know about certificates and PKI but are too afraid to ask (via, also, also) starts off slow (and with one simplification that irritated me) but very soon gets rolling into things like X.509 and PKCS, and then gets into a thorough and solid discussion of PKI (Public key infrastructure) and the considerations of running your own internal one for (mutual) TLS authentication. I was very pleased to see this recommendation:
In any case, if you run your own internal PKI you should maintain a separate trust store for internal stuff. That is, instead of adding your root certificate(s) to the existing system trust store, configure internal TLS requests to use only your roots. [...]
Separating public 'web PKI' from your own internal PKI is an important measure to keep compromises in your internal PKI from leaking into your use of web PKI (both through browsers and through programs). It also keeps compromises in web PKI from hurting your internal PKI, which I believe is Malone's main focus.
The article isn't perfect, but it's a great introduction and overview with solid practical recommendations that goes into significant depth on some important issues.
(I'm fairly certain that I learned some new things from it, even though I'm pretty well exposed to all of this stuff already.)
Link: HTTPS in the real world
Robert Heaton's article HTTPS in the real world (via) is about the difference between HTTPS in theory, in the cryptographic world of Alice and Bob, and HTTPS in practice, in the messy real world where CAs cannot be fully trusted and people lose their keys and so on. To pick one little bit to quote:
[...] But the real world has still managed to piece together a very serviceable public-key cryptography system by patching over the holes and omissions and naivety of the introductory world with a tartan of secondary systems known collectively as “Public Key Infrastructure” (PKI).
The whole article is a clear, short, amusing, and interesting summary of the whole practical mess of HTTPS and TLS. Even though I'm pretty up on all of the issues it talks about, I still found it well worth reading.