From Newsgroup: comp.misc

The CA/Browser Forum (a group that includes those entities that issue
you with attested SSL/TLS certificates) has voted to severely shorten
the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

Some see this as a revenue grab. Yes, it may be, but there are also
good security reasons for doing so.

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

The CA/Browser Forum (a group that includes those entities that issue
you with attested SSL/TLS certificates) has voted to severely shorten
the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

Some see this as a revenue grab. Yes, it may be, but there are also
good security reasons for doing so.

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.

It’s not a revenue grab. It IS yet another of the methods THEY are
employing to make it impossible to use the Internet with old, backdoor-free computers.

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On Sat, 12 Apr 2025 03:30:41 -0000 (UTC), Oregonian Haruspex wrote:

It’s not a revenue grab. It IS yet another of the methods THEY are employing to make it impossible to use the Internet with old, backdoor
-free computers.

Let’s just say, I use one of those free auto-renewing cert services (Let’s Encrypt), and I’m probably more confident than you are that my computer is “backdoor-free”.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

The CA/Browser Forum (a group that includes those entities that issue
you with attested SSL/TLS certificates) has voted to severely shorten
the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

More concrete details at https://github.com/cabforum/servercert/pull/553.

Some see this as a revenue grab. Yes, it may be, but there are also
good security reasons for doing so.

The “revenue grab” theory is rather dubious. The proposal is from a
device vendor, not a CA; they will make no money from it at all.

If your CA charges by the renewal _and_ doesn’t adjust prices to reflect
the shorter lifetime of individual certificates, then yes, it’ll get a
lot more expensive; an example of shrinkflation. That’d be time to
migrate to a CA with a more reasonable pricing model.

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.

Right, the organizations who will have a real problem are those still
renewing certificates manually. They have a choice between spending a
bit more on their own staffing, or automating renewal (probably cutting
their overall costs in the long run).
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Richard Kettlewell <invalid@invalid.invalid> wrote:

Right, the organizations who will have a real problem are those still renewing certificates manually. They have a choice between spending a
bit more on their own staffing, or automating renewal (probably cutting
their overall costs in the long run).

I can see this being a big pain for private infrastructure. Much networking gear, for example, has a web interface for uploading a certificate, but not
an automated flow for doing so. If that gear is also not able to reach the internet it can't do any kind of 'well-known' challenges.

I'm sure there are workarounds, but they won't necessarily apply to what's already out there. This change could be disruptive for that.

Theo
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

The CA/Browser Forum (a group that includes those entities that issue
you with attested SSL/TLS certificates) has voted to severely shorten
the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

Some see this as a revenue grab. Yes, it may be, but there are also
good security reasons for doing so.

I agree with this. Plus include the fact that google and
friends are trying to block 'http' (no s) static sites,
seems it is a continuation of a war on General Computing.

I would not be surprised that in a few short years you will
only be able to access sites with a back-doored Cell Phone.

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.

This I would not know :) I have moved my WEB Site to
gemini/gopher on SDF. My site justs sits there to point
people to gemini and/or gopher.
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On 12 Apr 2025 11:44:45 +0100 (BST), Theo wrote:

Much networking gear, for example, has a web interface for uploading a certificate, but not an automated flow for doing so.

Surely most if not all of that networking gear is Linux-based by now. And Linux can certainly do it.

If that gear is also not able to reach the internet it can't do any kind
of 'well-known' challenges.

There would be ways to selectively allow such things through the firewall.

I'm sure there are workarounds, but they won't necessarily apply to
what's already out there.

I’m sure there are software updates to cope with this. Companies that are used to coping with large data-centre installations would not be new to
this.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

Plus include the fact that google and friends are trying to block
'http' (no s) static sites, seems it is a continuation of a war on
General Computing.

I don’t know why you think general-purpose computers are incapable of
secure communication through the Internet. Where do you think such secure communication got invented?
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Theo <theom+news@chiark.greenend.org.uk> writes:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Right, the organizations who will have a real problem are those still
renewing certificates manually. They have a choice between spending a
bit more on their own staffing, or automating renewal (probably
cutting their overall costs in the long run).

I can see this being a big pain for private infrastructure. Much
networking gear, for example, has a web interface for uploading a certificate, but not an automated flow for doing so. If that gear is
also not able to reach the internet it can't do any kind of
'well-known' challenges.

Fair point. I think SCEP is the well-established ‘enterprise’ approach
to this (I don’t know the details though). But it’d be nice to see
device vendors supporting ACME more widely.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.

What about the increased load on the servers of all the extra renewals?
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

Plus include the fact that google and friends are trying to block
'http' (no s) static sites, seems it is a continuation of a war on
General Computing.

I don’t know why you think general-purpose computers are incapable of secure communication through the Internet. Where do you think such secure communication got invented?

Of course they can connect right now, but as time goes on
I am sure at some point, general purpose computers will start
being blocked. Google no longer returns non-secure sites.
Firefox blocks ftp sites and I believe http pages unless you
go looking for options to set.

Forcing everyone into a Cell Phone Type environment is the
easiest way to spy on people and block "bad sites" and spam
them with ads.

So this plus other trends is starting to look like
something like "First the came for..."
FWIW, I hate using that analogy in this case, but it is
the shortest way to type it.
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

John McCue <jmccue@magnetar.jmcunx.com> writes:

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

Plus include the fact that google and friends are trying to block
'http' (no s) static sites, seems it is a continuation of a war on
General Computing.

I don’t know why you think general-purpose computers are incapable of
secure communication through the Internet. Where do you think such
secure communication got invented?

Of course they can connect right now, but as time goes on
I am sure at some point, general purpose computers will start
being blocked. Google no longer returns non-secure sites.
Firefox blocks ftp sites and I believe http pages unless you
go looking for options to set.

Why do you believe Firefox blocks http pages?
(It does not block them by default.)
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On Sun, 13 Apr 2025 17:39:56 -0000 (UTC), John McCue wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

Plus include the fact that google and friends are trying to block
'http' (no s) static sites, seems it is a continuation of a war on
General Computing.

I don’t know why you think general-purpose computers are incapable of
secure communication through the Internet. Where do you think such
secure communication got invented?

Of course they can connect right now, but as time goes on I am sure at
some point, general purpose computers will start being blocked.

I wonder how you think those sites are going to detect that your secure connection is coming from a “general-purpose computer”, and block it.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On Sun, 13 Apr 2025 16:27:07 +0100, Richmond wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough to >> set your system to run a cron task (or systemd timer) to auto-renew.
This already happens by default on a Debian installation, for example.

What about the increased load on the servers of all the extra renewals?

With Let’s Encrypt, everything’s automated at their end, too.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.misc

On Fri, 11 Apr 2025 22:32:56 -0000 (UTC), I wrote:

For most purposes, a free cert service like Let’s Encrypt is quite sufficient ...

Speaking of which, Let’s Encrypt are going to offer the option to shorten their certificate lifetimes, from the former 90 days down to as little as
6 days <https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/>.

Since theirs is a free service, their motives are entirely to do with security. Why is such a short interval a good idea? Because it shortens
the exposure window, should a certificate key become compromised.

There is a mechanism called “certificate revocation”, but it tends to be cumbersome and troublesome. With such a short certificate lifetime, there
will be less need for such a thing: if you suffer a certificate security breach, just immediately get a new certificate with a new key, and be extra-vigilant during the few days until the old one expires.
--- Synchronet 3.20c-Linux NewsLink 1.2