Hacker Neue

Preferences
ameliaquining parent
What would it look like for the Web PKI to "not survive that change"? Is the idea that companies stop having websites and tell all their users to switch to Gopher or something, because the burden of certificate management is too much?

> In our case, we'll be spending the next couple years reducing our use of PKI certificates to the bare functional minimum.

Good. A certificate being publicly trusted is a liability, which is why there are all these stringent requirements around it. If your certificates do not in fact need to be trusted by random internet users, then the CA/B wants you to stop relying on the Web PKI, because that reduces the extent to which your maintenance costs have to be balanced against everybody else's security.

As I said in another comment, private CAs aren't that popular right now in the kinds of organizations that have a hard time keeping up with these changes, because configuring clients is too painful. But if you can do it, then by all means, do!

ocdtrekkie
> What would it look like for the CA/B to "not survive that change"?

I suspect when companies who are members actually realize what happened, CA/B members will be told to reverse the 47 day lifetime or be fired and replaced by people who will. This is a group of people incredibly detached from reality, but that reality is going to come crashing through to their employers as 2029 approaches.

> Good.

You may assume that most organizations will implement private CAs in these scenarios. I suspect the use of encryption internally will just fall. And it will be far easier for attackers to move around inside a network, and take over the handful of fancy auto-renewing public-facing servers with PKI anyways.

ameliaquining OP
Who exactly in the CA/B member companies is going to demand that the 47-day lifetime be reversed, and why are they going to do that?

If an org is tech-forward enough to have bothered setting up HTTPS for internal use cases on their own initiative, just because it was good for security, then they're not going to have major problems adapting to the 47-day lifetime. The orgs that will struggle to deal with this are the ones that did the bare minimum HTTPS setup because some external factor forced them to (with the most obvious candidate being browsers gradually restricting what can be done over unencrypted HTTP). Those external factors presumably haven't gone anywhere, so the orgs will have to set up private CAs even if they'd rather not bother.

ocdtrekkie
I think when Sundar and Satya start hearing about how their customers are losing billions of dollars because of some random people at their company called "certificate trust program leads" or whatever, there is going to be a lot of questions how those decisions got made and how to get them un-made.

Most of the other forum members either won't oppose longer lifetimes (every cert vendor would be happy) or will bow to the only two companies that matter.

ameliaquining OP
Nothing even remotely similar to that happened on previous tightenings. Going from not a peep to enough outrage to overturn a decision this thoroughly debated all at once seems really unlikely. Also, what are the aggrieved enterprises going to do, threaten to move from GCP to AWS if Chrome doesn't do what they want? That's an empty threat and everyone knows it.
nickf
None of this will happen. Saying this as the named endorser for SC-081.
ocdtrekkie
I really would like to share with you that what you endorsed will cause deaths. Deaths never attributed directly, sure. But the damage to the stability of the Internet of this is immense, and the impact that will have on individual lives virtually unpredictable in millions of complicated ways.

And I really hope you are wrong that it will not get reversed. (I hope I am wrong about the above, but I doubt it.)

3 More Comments →

This item has no comments currently.