On Wed, 2023-05-17 at 19:20 -0400, Jeffrey Walton wrote: > The reason for short lived certificates is to keep CRLs small, > especially for mobile devices. In the past, mobile clients were asked > to download 60 MB CRLs over a 2G or 3G connection. UI's literally hung > while trying to perform the revocation checks.
What a brain-dead way to do things! I would have created a system that worked long these lines: You try to connect to https://example.com and find that it's certificate was issued by https://example.org, so you poll example.org about the veracity of the specific certificate for example.com. Back in my early days of browsing I noticed that the web browsers came preconfigured not to check on the revocation status of certificates, operating in a "trust me, you fool" mode (no double-checks). If you enabled the check, various proper web sites failed. Another lot of people who like to appear to be doing the right thing, without actually doing the job properly. > Key continuity is much more valuable than gratuitous key rotation. > Never throw away a perfectly good key (or password). In fact, > unexpected key changes - from the relying party's view - should be > considered a red flag. Yes, I'm suspicious of new keys/certificates. If this was created yesterday, *HOW* do I know it's the same entity as I was dealing with last month? (As a quick process, rather than having to do an in-depth investigation.) > Key continuity and Public Key Pinning is what revealed the DigiNotar > compromise. Here's the Iranian kid's message that started the whole > thing off: > http://productforums.google.com/forum/#!category-topic/gmail/share-and-discuss-with-others/3J3r2JqFNTw > . > > Unfortunately, Google's asshole webmaster broke the link. Where can I > get a job breaking shit like a webmaster? Just about any website, it seems. The idea that information is worth keeping for more than two days seems foreign to some people. I get the impression many have ADHD. On the other hand some news services pop up recommended stories in the middle of the one you're reading that are 10 years out of date, with only the tiniest of clues that they are. And I mean recommended reading because it's somewhat similar, or not at all, to the current story. Not that it's been suggested as associated further reading. I assume you meant that the link you provided was not going to work (it didn't). A quick google of "DigiNotar compromise" provided a page on Wikipedia summarising the thing. People decry the website, but I find a good starting point for a moderately brief description, at least, with links for further reading. -- uname -rsvp Linux 3.10.0-1160.90.1.el7.x86_64 #1 SMP Thu May 4 15:21:22 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
