On 8/29/23 2:49 PM, Rick Troth wrote:
When they say "certificates shall only last a year", there's little we
can do about it, whether they're right or wrong.
The browser manufacturers have power in the browser ecosystem and the
ecosystems that pander to them (*cough* CAs *couth*).
But browser manufacturers have exceedingly little say in how I configure
TLS on my email server.
Crypto alone doesn't make your systems secure. Faster refresh does not
improve your posture all by itself.
I believe the faster refresh is all about shortening the exposure window.
If the CA is breached, then the issued certs are just as invalid on day
one as they are on day 398. In that case, what has the shortened
lifetime bought us?
Recent history (last 10-20 years) has demonstrated that not enough
people update their system (think software updates, not hardware
upgrades) nearly as often as they should.
As such, these people don't get the updates wherein the compromised root
cert / public key therein is distrusted / banned.
So, many in the industry are responding by shortening the natural
lifetime of such certificates.
Shortening the lifetime of a certificate does shorten the possible
amount of time when that given compromised certificate can be used
against people that updated to learn to not trust it.
This is not to say that fast cycle advocates are idiots. Most of them
are prolly way smarter than I am. It's just that they stopped short of
solving the real problem. (And some of them are opportunists: if they
can get you to buy their wares in a panic, then they've made a pretty
penny and can retire sooner.)
There have been at least three major attempts to convey that
certificates should be distrusted before their expiration:
- Certificate Revocation Lists (CRL) -- Client checks remote data
- Online Certificate Status Protocol (OCSP) -- Client checks remote data
- OCSP Stapling -- Server fetches remote data, hands it to the
client, client check verifiable data it was handed.
Sadly, all three of these have left more exposure than people are
comfortable with.
So, rather than trying to deal with early distrust of certificates, the
Certificate Authority / Browser Forum (CA/B Forum) has decided to tackle
things differently by shortening the possible exposure window.
I almost regret this note because I haven't really offered a solution.
Lots of really smart people have put forth multiple solutions. Some
were widely deployed. Most were not as successful as many had hoped.
Some say "security is a process". I hate that slogan, but it's kinda
true. I DO say that we're foolish to try and shrink-wrap security into
store-shelf remedies. There's no alternative to educating the staff.
--
Grant. . . .
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
