HackerTrans
TopNewTrendsCommentsPastAskShowJobs

nickf

no profile record

comments

nickf
·قبل 27 يومًا·discuss
Hanno - we may have communicated before some years ago, but am more than happy to offer any help I can (if some of our customers are/were affected, happy to reach out and see if they can give you more answers as to which products). nick (at) sectigo (dot) com
nickf
·الشهر الماضي·discuss
For any target of sufficient value that a government would do that, yes. Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.
nickf
·الشهر الماضي·discuss
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
nickf
·الشهر الماضي·discuss
ZeroSSL aren't an EU-based alternative, unfortunately.
nickf
·الشهر الماضي·discuss
If a cert doesn't contain the requisite number of valid SCTs from logs that are specifically usable in the browser - it will not work.
nickf
·قبل شهرين·discuss
You’re right of course, but Apple won’t do it - they’re happily running a two-tier system where Uber, eBay, Doordash can force spam notifications on you with impunity. All my settings for marketing are off - eBay still sends me notifications about coupons (and additionally there’s no way to actually contact them to complain, of course). Doordash won’t let me get delivery notifications without marketing notifications.

Apple could fully enforce their policies and fix this in a heartbeat, but they won’t.
nickf
·قبل 4 أشهر·discuss
While I sort-of see what you're trying to say, if you knew the groups and teams involved - you'd know there was no favouritism and a strong degree of separation between CA and root programs.

The root programs who have their own CAs are also cloud providers, who arguably have a legitimate need for the CA. Or in Apple's case they have their own CA, but don't issue externally. They keep CA and root program separate.
nickf
·قبل 4 أشهر·discuss
That's absolutely incorrect. While CABF sets the 'Baseline Requirements' that ultimately go into the WebTrust audit scheme that root programs use to accept roots into their trust stores...browsers can and do set their own rules.

The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.
nickf
·قبل 4 أشهر·discuss
Your failure to see the problem doesn’t mean it doesn’t exist. 40x the size might not really be an issue for the hypothetical server you’ve suggested - but that isn’t the reality for the world. Many devices do HTTPS and TLS. Not to mention the issue is more with the clients. CT logs would get a lot harder to run (and they’re already not so easy).
nickf
·قبل 5 أشهر·discuss
Google dominate the space because they have an active, robust trust-store program that they manage well. Apple the same. Mozilla and Microsoft too (though to a lesser extent).

If any ecosystem - such as XMPP - wishes to, they could start their own root-program, but many simply copy what Chrome or Mozilla do and then are surprised when things change.
nickf
·قبل 5 أشهر·discuss
Not really, no. There are a number of reasons for cert lifetimes being made shorter.
nickf
·قبل 5 أشهر·discuss
A public CA checks it one-time, when it's being issued. Most/all mTLS use-cases don't do any checking of the client cert in any capacity. Worse still, some APIs (mainly for finance companies) require things like OV and EV, but of course they couldn't check the Subject DN if they wanted to.

If it's for auth, issue it yourself and don't rely on a third-party like a public CA.
nickf
·قبل 5 أشهر·discuss
Eh, it's pretty easy to impersonate if the values in the certificate aren't checked, and you could get one from any of a list of public CAs.

If you're relying on a certificate for authentication - issue it yourself.
nickf
·قبل 5 أشهر·discuss
Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.
nickf
·قبل 5 أشهر·discuss
Client authentication with publicly-trusted (i.e. chaining to roots in one of the major 4 or 5 trust-store programs) is bad. It doesn't actually authenticate anything at all, and never has.

No-one that uses it is authenticating anything more than the other party has an internet connection and the ability, perhaps, to read. No part of the Subject DN or SAN is checked. It's just that it's 'easy' to rely on an existing trust-store rather than implement something secure using private PKI.

Some providers who 'require' public TLS certs for mTLS even specify specific products and CAs (OV, EV from specific CAs) not realising that both the CAs and the roots are going to rotate more frequently in future.
nickf
·قبل 5 أشهر·discuss
You are correct, and the answer is - no-one using publicly-trusted TLS certs for client authentication is actually doing any authentication. At best, they're verifying the other party has an internet connection and perhaps the ability to read.

It was only ever used because other options are harder to implement.
nickf
·قبل 6 أشهر·discuss
It’ll be 5 years soon.
nickf
·قبل 7 أشهر·discuss
I was mostly just typing out what they had listed under 'products' on their pages. I'm aware of what Mozilla do, know folks there and that have been there. They've been roundly criticised for adding 'products' of questionable value to their core userbase, rightly so in my opinion.
nickf
·قبل 7 أشهر·discuss
...which is arguably the problem. Firefox. Thunderbird. That should be it. According to their own site, beyond that they have the browser app for mobile devices. A VPN service, an email-forwarding service, and MDN. Hardly 'many products'.
nickf
·قبل 7 أشهر·discuss
There are ways to do this as pointed out below - CNAME all your domains to one target domain and make the changes there. There’s also a new DCV method that only needs a single, static record. Expect CA support widely in the coming weeks and months. That might help?