I can't see the point of 45 day certs. Either you do a year or you do 7 days. Pointless to do anything in the middle. I prefer to have systems fail quickly than after the consultant who installed them has disappeared.
The problem we have with TLS security is that the WebPKI was designed to make it as safe using a credit card online as in a bricks and mortar store. That is all it was ever built for. It was not built to enable encryption because the NSA and FBI was making that impossible. Those who were there remember 40 bit encryption. The WebPKI is now being used for a large number of things and there are many it really isn't very good at. Google funded LetsEncrypt as a means of enabling ubiquitous encryption and preventing ISPs from intercepting Web pages to replace Google ads with ads from the ISP. And they did it in a way that broke the controls intended to protect people doing shopping online. So the net result is that now we have a WebPKI that works fairly well for any service or device that is reliably connected to the public Internet. ACME doesn't really work well at the moment for IoT devices belonging to consumers because consumers don't have the technical skill, the DNS access etc. required to deploy for a home device. But that is fixable and something I hope to demonstrate a fix for at the Bangkok IETF next month. I have a prototype that allows a user with the DNS handle @ phill.hallambaker.com to configure devices and services in their domain. So I buy a NAS, I scan a QR code on it, give it the name 'nas.hallambaker.com' and the thing now talks to my network, is reachable as https://nas.hallambaker.com/ and I can log in with my DNS Handle using my '@nywhere' account. That solves almost every use case except the 'what if Internet is out for more than 7 days and the cert life is limited to 6' and 'what if I lose the DNS name I am using for my handles'. My solution to that is to actually configure the device with two sets of certificates, one under the public WebPKI and nas.hallambaker.com and the other under a private CA hierarchy as nas.hallambaker.alt. And that is under my own personal root and with certs that can have long lifespans because I actually have a functioning revocation system on the local private CA. So I can of course install my private root into my browsers. But that is a bit of a pain for ordinary users and I don't like the idea of them installing private roots, a bad habit to start. So imagine we have a CA like LetsEncrypt called LetsAuthenticate.com and it does two things 1) Reserves names in .alt on a first come first served basis. 2) Issues cross certificates to the party that reserved the name. That solves the problem of creating a set of names and credentials for the home to use when it is off-grid and for writing internal scripts that have to survive a public domain name change. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMm%2BLwg3-r4Kf4kuBw0gnctu7OiFv2w3sXntD-GSK6_t-mjk4Q%40mail.gmail.com.
