Comment by rfoo 2 days ago
... which means automation was not setup correctly and 90 days is still too long that you just tolerated it. If it was 6 days after a few turns you would have decided "fuck it I'm going to spend time fixing it once and for all".
How could the person you’re replying to have reasonably phrased their comment to avoid this snark from you?
I’m 1,000% sure that they know what you’re trying to espouse. Nowhere in the comment does it say “here is an exhaustive list of hosted email providers”. It’s a JOKE.
These are the attitudes we get when we have a WebPKI cabal drunk on power.
Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
> They're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.
Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.
For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.
So first and foremost, nearly every enterprise organization is still shifting a few files every 11 months thanks to the CAB. This isn't the past, it's the present.
Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging. Automation breaks so even automated shorter-lifetime certificates will still accelerate and increase this damage.
And finally, nobody who's ever tried justifying the CAB's behavior has actually been able to demonstrate the CAB is solving real world problems. I want someone from the CAB to show me a real world exploit that happened that was because someone got a hold of a certificate between 7 and 90 days old and was able to use that maliciously.
If someone from the CAB can't do that, the entire CAB should be disbanded.
Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
Or perhaps, "I'm going to give up and switch to gmail once and for all"