Man, you’re giving me flashbacks to real analysis. Shit is weird. Like the set of all integers is the same size as the set of all positive integers. The set of all fractions, including whole numbers, aka integers, is the same size as the set of all integers. The set of all real numbers (all numbers including factions and irrational numbers like pi) is the same size as the set of all real numbers between 0 and 1. The proofs make perfect sense, but the conclusions are maddening.

The security of these certificates only guarantees that you’re talking to the right server and that your communication is encrypted. For other concerns like of the server was hacked, you’ll need something else. No individual piece of security tech can secure everything. You as the site admin can only use it as one piece of a comprehensive security package that defends against what you perceive as the most credible threats.

Asking where’s the security is like asking where’s the protection with a bullet proof vest if you can still get shot in the head. A vest offers one type of protection, but a comprehensive security package is going to include other pieces like helmets.

I don’t know what the process is like to become a certificate authority. I imagine the answer is technically yes but realistically no, at least not as an individual. You’d be providing a critical piece of internet infrastructure, so you’d need the world to consider you capable of providing the service reliably while also capable of securing the keys used to sign certificates so they can’t be forged. It’s a big responsibility that involves putting a LOT of trust in the authority, so I don’t think it’s taken very lightly.

It’s to make sure you’re actually reaching your intended endpoint. If I’m visiting a site for the first time, how do I know I actually have THEIR certificate? If it’s self generated, anybody could sign a certificate claiming to be anybody else. The current system is to use authority figures who validate certificates are owned by the site you’re trying to visit. This means you have a secure connection AND know you’re interacting with the correct site.

Running a server is very doable. There are packages to deploy and configure almost everything for you and removing a ton of headache.

Getting your email recognized as not spam by the major providers is pretty much impossible. You need all sorts of stuff to help verify integrity including special DNS records and public identity keys, but even if you do everything right, your mail can very easily get black holed before it even reaches a user’s inbox because of stupid shit like someone abused your rented server’s IP years ago, and you can’t seem to get it off everyone’s lists.

Email as a decentralized tool has effectively been ruined by spam and anti-spam measures. You’re effectively forced to use a provider because it’s near impossible to make your outgoing mail work as an individual. I think some of those anti-spam measures are anticompetitive, but I do think some are just desperate attempts to reduce the massive flow of spam.