Twitter | Pretraživanje | |
Andrew Ayer
Exactly five years ago, I made this Git commit to discontinue multi-year certificates at . Today the CA/Browser Forum finished voting on a ballot to limit all publicly-trusted certificates to 1 year. (1/7)
Reply Retweet Označi sa "sviđa mi se" More
Andrew Ayer 10. ruj
Odgovor korisniku/ci @__agwa
Although the ballot failed (), it had unanimous browser support, and I anticipate that browsers will limit certificates to 1 year anyways. (2/7)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
Odgovor korisniku/ci @__agwa
1 year certs are good for regular Web users, because certificates issued with weak cryptography or weak validation practices are cycled out faster. Security improvements, like Certificate Transparency, can be rolled out more quickly. (3/7)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
Odgovor korisniku/ci @__agwa
1 year certs are good for site operators because certificate renewal is a more regular event rather than something that they have to scramble to remember how to do at the last minute. (Full automation is even better, but not always feasible yet. 1 year is a happy medium.) (4/7)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
Odgovor korisniku/ci @SSLMate
1 year certs are more honest, because serious security incidents mean a long-lived cert might not remain valid for its entire term. Every 5 year cert issued through before Sep 2014 had to be replaced twice: for the SHA-1 deprecation, and for the Symantec distrust. (5/7)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
Odgovor korisniku/ci @SSLMate
1 year certs are better for , since they allow us to iterate more quickly without having to deal with legacy baggage. I deleted 20k lines of code in April. I couldn't have deleted all that code if the system still had to manage certificates issued in 2014. (6/7)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
Odgovor korisniku/ci @__agwa
I can't wait to see certificates limited to 1 year everywhere, and I'm proud I was ahead of the curve on this. (7/7)
Reply Retweet Označi sa "sviđa mi se"
Janno Schouwenburg 10. ruj
Odgovor korisniku/ci @__agwa @matthew_d_green @SSLMate
Still an industry failure to not get revoking implemented right
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 10. ruj
The move to 1 year certs doesn't have much to do with revocation.
Reply Retweet Označi sa "sviđa mi se"
lamby 10. ruj
Odgovor korisniku/ci @__agwa @SSLMate
Somewhat off-topic but... what on earth is that typeface?! :)
Reply Retweet Označi sa "sviđa mi se"
AndrewLighten 10. ruj
Odgovor korisniku/ci @lolamby @__agwa @SSLMate
Looks like the classic Sun typeface.
Reply Retweet Označi sa "sviđa mi se"