Comment by ocdtrekkie 2 days ago
Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
So first and foremost, nearly every enterprise organization is still shifting a few files every 11 months thanks to the CAB. This isn't the past, it's the present.
Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging. Automation breaks so even automated shorter-lifetime certificates will still accelerate and increase this damage.
And finally, nobody who's ever tried justifying the CAB's behavior has actually been able to demonstrate the CAB is solving real world problems. I want someone from the CAB to show me a real world exploit that happened that was because someone got a hold of a certificate between 7 and 90 days old and was able to use that maliciously.
If someone from the CAB can't do that, the entire CAB should be disbanded.
Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
> Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
I believe that this is out of place and perhaps a result of reading things with an uncharitable interpretation.
The skill floor part of the comment isn't me attempting to blame someone, but rather point out that needing this sort of automation complicates things and adds friction. If the only certificates that you get for free (e.g. Let's Encrypt) are short lived, then you can't just sit down once a year and move some files around, you need certbot / mod_md / Caddy and all that comes with it. Of course, you still have the longer lived commercial certs, but it's odd to see how the trend is shifting towards ACME. Not the end of the world for most, but also something that a mom & pop shop might prefer not to deal with. Or, you know, environments with specific requirements.
> So you need to understand that making certs expire more is inherently damaging.
For this, I make no claims one way or the other. To me, concerns about long lived certificates seem valid, as do those about short lived ones, both have risks associated with them. Which is the better approach? You decide for yourself. Except most people don't get to decide and just have to roll along with whatever the industry at large settles on.
When you talk about there being risks to both short and long lived certificates, that is true, but it's omitting very important detail: Short-lived certificates have practical, real-world risks that are actually happening every day. People die when the Internet breaks. Long-lived certificates have some imaginary and hypothetical security risks that the CAB is very scared of but mostly don't happen.
In any good risk management scenario you have to weigh the cost/benefit of a change in terms of what benefits it offers and what tradeoffs it has. The CAB has repeatedly demonstrated complete inability to consider the risk profile of their behavior. They are unqualified for the job, and unfortunately, accountable to noone.
> They're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.
Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.
For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.