1. nickf Dec 19, 2025 parent

   I was mostly just typing out what they had listed under 'products' on their pages. I'm aware of what Mozilla do, know folks there and that have been there. They've been roundly criticised for adding 'products' of questionable value to their core userbase, rightly so in my opinion.
2. nickf Dec 18, 2025 parent

   ...which is arguably the problem. Firefox. Thunderbird. That should be it. According to their own site, beyond that they have the browser app for mobile devices. A VPN service, an email-forwarding service, and MDN. Hardly 'many products'.
3. nickf Dec 16, 2025 parent

   There are ways to do this as pointed out below - CNAME all your domains to one target domain and make the changes there. There’s also a new DCV method that only needs a single, static record. Expect CA support widely in the coming weeks and months. That might help?
4. nickf Dec 16, 2025 parent

   It might never 'touch' the internet, but the certificates can be easily automated. They don't have to be reachable on the internet, they don't have to have access to modify DNS - but if you want any machine in the world to trust it by default, then yes - there'll need to be some effort to get a certificate there (which is an attestation that you control that FQDN at a point-in-time).
5. nickf Dec 16, 2025 parent

   Not quite true - some CAs were not 'held hostage' - some agree with the changes and supported them. See the endorsers for SC-081.
6. nickf Dec 16, 2025 parent

   Honestly don't recall discussing 17 days, but I could be wrong. 47 days was a 'compromise' in that it's a step-down over a few years rather than a single big-bang event dropping from 397->90/47/less.
7. nickf Dec 16, 2025 parent

   Can I ask - if you're using publicly-trusted TLS server certificates for client authentication...what are you actually authenticating? Just that someone has a certificate that can be chained back to a trust-anchor in a common trust-store? (ie your authentication is that they have an internet connection and perhaps the ability to read).
8. nickf Dec 16, 2025 parent

   Sure, but in those examples - automation and short-lifetime certs are totally possible.
9. nickf Dec 15, 2025 parent

   Chrome root policy, and likely other root policies are moving toward 5-years rotation of the roots, and annual rotation of issuing CAs. Cross-signing works fine for root rotation in most cases, unless you use IIS, then it becomes a fun problem.
10. nickf Dec 15, 2025 parent

    Where did you get 17 days from?
11. nickf Dec 15, 2025 parent

    If it doesn’t run a web service, or isn’t publicly routable - why do you need it to work on billions of users browsers and devices around the world?
12. nickf Dec 15, 2025 parent

    You assume it’s just the certs being purchased - and not support, SLAs, other related products, management platforms, private PKI and more. If all you do is public TLS, sure, that might be an issue.
13. nickf Dec 15, 2025 parent

    Roots for all CAs are going to be rotating much more frequently now. Looking to be every 5 years.
14. nickf Dec 2, 2025 parent

    CAs are gonna start rotating more frequently soon, and you may even see randomisation. Pinning to public certs is a real no-no.
15. nickf Dec 2, 2025 parent

    I still think 'don't pin' is the best advice, but absolutely it should never be done to public CAs. I agree with your point about different endpoints, but maybe one endpoint for pinned apps, separate to your browser-based sites/endpoints.
16. nickf Dec 2, 2025 parent

    Is the certificate you use on your website any different to that on google.com? Does/could a browser know this and act differently?
17. nickf Dec 2, 2025 parent

    You can, but it’s still dangerous. You don’t have control over if those certs are revoked or keys blocklisted.

    It’s best to simply not use public certs for pinning, if you really must do it.

18. nickf Dec 2, 2025 parent

    A certificate is a binding of a cryptographic key, along with an attestation of control of a DNS record(s) at a point in time. DNS changes frequently. The attestation needs to be refreshed much more frequently to ensure accuracy.
19. nickf Dec 2, 2025 parent

    It'll be tough when ICAs rotate every 5/6 months and may even randomise.
20. nickf Dec 2, 2025 parent

    I'd say two big reasons: 1) A lot of people/enterprises/companies/systems are not ready. They're simply not automated or even close to it.

    2) Clock skew.

21. nickf Dec 2, 2025 parent

    I would strongly suggest that these certs have no reason to be from a public CA and thus you can (and should) move them to a private CA where these rules don't apply.
22. nickf Dec 2, 2025 parent

    Don't. Don't pin to public certificates. You're binding your app to third-party infrastructure beyond your control. Things change, and often. Note that pinning to a root or intermediate seems 'sensible' - but it isn't. Roots are going to start changing every couple of years. Issuing/intermediate CAs will be down to 6 months, and may even need to be randomised so when you request a new cert, there's no guarantee it'll be from the same CA as before.

    Don't pin to certs you don't control.

23. nickf Nov 24, 2025 parent

    That's interesting - thank you! Can I ask where you saw the (limited) information? Hearingtracker forum seems devoid of info on the Zeal and accessories (likely due to the limited fitting range) - but I'd be curious if Oticon are planning a smaller, lower-capacity charger!
24. nickf Nov 24, 2025 parent

    How are you finding the Zeal's charger? As I said in another comment - I'm baffled Oticon can't make a charging case the size of the AirPods Pro or similar. The Zeal charger doesn't seem exactly...pocketable!
25. nickf Nov 24, 2025 parent

    Weird - in an incredibly similar situation and my RICs are overdue an upgrade (Oticon Opn 3). I've been keeping an eye on developments for some time, and I've been looking for something ideally CIC, though I do like the RIC Opns. However, nothing has had the feature set I wanted - bluetooth, auracast, Apple MFI and being CIC.

    Oticon just announced/released their 'Zeal' product - a non-custom CIC, with seemingly all the bells and whistles, including bluetooth. Planning to try them soon.

    I have tried a few aids before (Starkey and some older Phonak) and I do really like the Oticon 'sound'. They work for me, but of course YMMV. I think many aid manufacturers (many of them the same company - WDH!) do 60 day trials. Worth a shot.

    My only dislike is the new fad, particularly of Oticon, of stopping disposable batteries and only going rechargeable. Disposable zinc-air cells have great life (I'd get a week on the Opns at least, with a few hours streaming per day). I travel for work a lot, so carrying a couple of tiny 312's in my wallet or keychain was perfect. The Zeal look to have what Oticon think is a 'compact' charger - but it ain't small. My kingdom for a charger the size of the AirPods Pro case...

26. nickf Nov 8, 2025 parent

    Azure Key Vault - even in the ‘premium’ HSM flavour can’t actually prove the HSM exists or is used, which doesn’t satisfy the requirements the CA has. In theory, it shouldn’t work - but some CAs choose to ignore the letter and the spirit of the rules. Even Azure’s $2400a month managed HSM isn’t acceptable, as they don’t run them in FIPS mode.
27. nickf Aug 27, 2025 parent

    It's likely to get worse as CAs rotate roots more frequently. Cross-signing will work for a time (provided you correctly install) but at some point, older devices will drop out of support and that'll be it.
28. nickf Aug 27, 2025 parent

    If there are systems that are that resistant to automation, the question should be 'does this system need a publicly-trusted server certificate, the same as a blog about cats or a Shopify shop?'. The answer is no. If it can't practically be automated, it near-certainly doesn't need to have a public cert on it.
29. nickf Aug 27, 2025 parent

    It will not be reversed, of that I'm certain. Attributing deaths, even indirectly, to the change in duration of TLS server certificates for the webPKI is incredibly extreme. If you have any real evidence or data to share, I have resources and my own time to investigate.
30. nickf Aug 26, 2025 parent

    None of this will happen. Saying this as the named endorser for SC-081.

This user hasn’t submitted anything.