Hacker Neue

Preferences
ameliaquining parent
Is there a different implementation timeline that you think would adequately address the legitimate concerns of orgs relying on legacy and manual processes? My model is that beyond a baseline of a couple years (which were already granted), adding more time doesn't help, because these orgs will always procrastinate until the last minute on anything that doesn't seem to management like an obvious immediate priority. I think the CA/B Forum does understand this and that they're significantly inconveniencing a lot of people, but it has to happen sometime, and part of the purpose of the push for automation is to ensure that the inevitable future tightenings of security requirements won't require most orgs to do anything.
xnorswap
Just extending the timeline won't help, as you suggest, if anything it'll make the problem even worse, by further bedding in the helpless.

What typically does work for this kind of thing, is finding a hook to artificially rather than technically necessitate it, while not breaking legacy.

For example, while I hate the monopoly that Google has on search, it was incredibly effective when they down-ranked HTTP sites in favour of HTTPs sites.

( In 2014: See https://developers.google.com/search/blog/2014/08/https-as-r... )

Almost overnight, organisations that never gave a shit, suddenly found themselves rushing through the any required tech debt to get SSL certs and HTTPs in place.

It was only after that drove up HTTPs to a critical mass did Google have the confidence to further nudge through bigger warnings in Chrome. ( 2018 ).

Perhaps ChatGPT and has impacted Google's monopoly too much to try again, but they could easily rank results based on certificate validity length and try the same trick again.

ameliaquining OP
I can't see them doing that, because whether a site is using HTTPS is visible to end users, and Google and many others had already spent a lot of time and effort getting them to notice and care. By contrast, end users know nothing about certificate lifetimes, so it would be hard to explain this change to them.

This item has no comments currently.