On Thu, May 30, 2024 at 09:14:52AM -0700, 'Amir Omidi (aaomidi)' via [email protected] wrote: > In my experience (and through what I've heard from others), at least in > large enterprises, the work for automating cert issuance and replacement is > simply *not important*. > > I've asked a few folks who would be in the place to do that automation work > and in nearly all cases they tell me they know what they need to do, they > know the task is not necessarily a fast one to complete, but it will > forever be de-prioritized because it *just doesn't matter*. If something > happens, they can ask their CA of choice to delay revocation - they seem > to believe that certain CAs would be fine delaying revocation even in the > case of key compromise.
If subscribers don't think that certificate automation isn't important, lets make a new revocation reason, "because a Root Program told us to". Mozilla, et al then randomly choose issued certificates and require them to be revoked within 24 hours (if I'm going to make up never-gonna-happen things, I may as well shoot for the moon...) - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ce7299fd-edb1-49b3-b7da-60652cb579c3%40mtasv.net.
