HackerTrans
トップ新着トレンドコメント過去質問紹介求人

jaas

no profile record

投稿

6-Day and IP Address Certificates Are Generally Available

letsencrypt.org
506 ポイント·投稿者 jaas·6 か月前·281 コメント

コメント

jaas
·22 日前·議論
No worries
jaas
·22 日前·議論
Yeah, thanks
jaas
·22 日前·議論
Since Let's Encrypt wasn't down most of the day if would be helpful if you could update the title to reflect that.
jaas
·22 日前·議論
Mostly 90 days, and we recommend renewing at 60 days for 90 day certs. That gives more than four weeks of leeway.

If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days, giving you 3 days for a successful renewal. A 90 minute outage, even if it was a full outage, would not interfere with a successful renewal.
jaas
·22 日前·議論
It would not have been sticky for the entire day. If it was sticky at all, it would have been only during the 90 minute period I referenced. It's most likely that there is some other issue with how you're requesting the cert. Folks can help debug at: https://community.letsencrypt.org/
jaas
·22 日前·議論
> That explains why one of my IoT vendors is using an expired certificate.

I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago.
jaas
·22 日前·議論
Let's Encrypt has been working normally for most of the day. There was a ~90 minute period during which some of our users would have received a higher error rate due to upstream networking issues, but the majority of requests were successful even during that period.

It seems our status.io notes are being misinterpreted as much more severe than they were intended to reflect.

Edit: Note that this was written in response to a previous submission title implying that Let's Encrypt was entirely down most of the day.
jaas
·先月·議論
I'm not sure if you're talking generally about sanctions or specifically about Let's Encrypt, but to avoid any doubt: citizens of Crimea are free to use Let's Encrypt. We do not, however, serve government entities in occupied Crimea.
jaas
·先月·議論
I was referring to the requirements imposed on us. When it comes to sanctions, we do not block anything more than what is required by law.
jaas
·先月·議論
Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

It doesn't.
jaas
·先月·議論
Sanctions compliance is unfortunately fairly complex.

Let's Encrypt can issue certificates for non-government entities in Iran and Russia due to statutory exemptions protecting personal communications, alongside specific Office of Foreign Assets Control (OFAC) authorizations designed to promote Internet freedom and human rights.

We will look into whether we can make things more easily understandable in the subscriber agreement.
jaas
·先月·議論
Let's Encrypt certificates continue to be available in both Iran and Russia, just not for the Iranian and Russian governments.

The terms of service update to clarify what we have always done, comply with relevant law, has not changed the situation for either country.
jaas
·2 か月前·議論
In that sense, prepare yourself to be bored.
jaas
·2 か月前·議論
Stopping all issuance is an pretty standard response if a CA thinks what they are issuing might be non-compliant in any way. It's an action we're required to take. It's not necessarily a sign of a more dramatic failure mode or key compromise. That said, the impact is the same for as long as the downtime lasts so it is unfortunate and we're sorry for the disruption.

I don't think the premise behind short lived (six day) certificates being viable is that CA issuance never goes down. Sure, the runway is shorter, but not that short. Most down time is a few hours or less, which is not a problem for six day certificates that should be renewed every three days.

Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.
jaas
·2 か月前·議論
This is a compliance incident, we should be issuing again shortly.

Update: Issuance is back up.

Update: Preliminary incident report:

https://bugzilla.mozilla.org/show_bug.cgi?id=2038351
jaas
·7 か月前·議論
Seat heat is one click in my 2022 Volvo. Or as others have noted, you can use your voice.
jaas
·8 か月前·議論
It’s hard to be ready for a world you do not understand, and the world is a lot more than engineering or any other single subject.
jaas
·9 か月前·議論
Their networking is awful in my experience. The WiFi chip is cheap crap, extremely sensitive, cuts out a lot, and doesn’t support WPA3.

I had to set up a dedicated Nanit-only AP in my house in order to stabilize the connection. It would not work any other way, tried many different configurations, even other APs.
jaas
·10 か月前·議論
I know lots of parents in NYC (where I live with multiple kids) and their lives have not “broken down.” What an absurd statement/generalization.
jaas
·10 か月前·議論
Rust is generally a much better tool for building software than C. When your software is built with better tools, you will most likely get better software (at least eventually / long term, sometimes a transition period can be temporarily worse or at least not better).