HackerTrans
トップ新着トレンドコメント過去質問紹介求人

nickf

no profile record

コメント

nickf
·28 日前·議論
Hanno - we may have communicated before some years ago, but am more than happy to offer any help I can (if some of our customers are/were affected, happy to reach out and see if they can give you more answers as to which products). nick (at) sectigo (dot) com
nickf
·先月·議論
For any target of sufficient value that a government would do that, yes. Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.
nickf
·先月·議論
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
nickf
·先月·議論
ZeroSSL aren't an EU-based alternative, unfortunately.
nickf
·先月·議論
If a cert doesn't contain the requisite number of valid SCTs from logs that are specifically usable in the browser - it will not work.
nickf
·2 か月前·議論
You’re right of course, but Apple won’t do it - they’re happily running a two-tier system where Uber, eBay, Doordash can force spam notifications on you with impunity. All my settings for marketing are off - eBay still sends me notifications about coupons (and additionally there’s no way to actually contact them to complain, of course). Doordash won’t let me get delivery notifications without marketing notifications.

Apple could fully enforce their policies and fix this in a heartbeat, but they won’t.
nickf
·4 か月前·議論
While I sort-of see what you're trying to say, if you knew the groups and teams involved - you'd know there was no favouritism and a strong degree of separation between CA and root programs.

The root programs who have their own CAs are also cloud providers, who arguably have a legitimate need for the CA. Or in Apple's case they have their own CA, but don't issue externally. They keep CA and root program separate.
nickf
·4 か月前·議論
That's absolutely incorrect. While CABF sets the 'Baseline Requirements' that ultimately go into the WebTrust audit scheme that root programs use to accept roots into their trust stores...browsers can and do set their own rules.

The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.
nickf
·4 か月前·議論
Your failure to see the problem doesn’t mean it doesn’t exist. 40x the size might not really be an issue for the hypothetical server you’ve suggested - but that isn’t the reality for the world. Many devices do HTTPS and TLS. Not to mention the issue is more with the clients. CT logs would get a lot harder to run (and they’re already not so easy).
nickf
·5 か月前·議論
Google dominate the space because they have an active, robust trust-store program that they manage well. Apple the same. Mozilla and Microsoft too (though to a lesser extent).

If any ecosystem - such as XMPP - wishes to, they could start their own root-program, but many simply copy what Chrome or Mozilla do and then are surprised when things change.
nickf
·5 か月前·議論
Not really, no. There are a number of reasons for cert lifetimes being made shorter.
nickf
·5 か月前·議論
A public CA checks it one-time, when it's being issued. Most/all mTLS use-cases don't do any checking of the client cert in any capacity. Worse still, some APIs (mainly for finance companies) require things like OV and EV, but of course they couldn't check the Subject DN if they wanted to.

If it's for auth, issue it yourself and don't rely on a third-party like a public CA.
nickf
·5 か月前·議論
Eh, it's pretty easy to impersonate if the values in the certificate aren't checked, and you could get one from any of a list of public CAs.

If you're relying on a certificate for authentication - issue it yourself.
nickf
·5 か月前·議論
Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.
nickf
·5 か月前·議論
Client authentication with publicly-trusted (i.e. chaining to roots in one of the major 4 or 5 trust-store programs) is bad. It doesn't actually authenticate anything at all, and never has.

No-one that uses it is authenticating anything more than the other party has an internet connection and the ability, perhaps, to read. No part of the Subject DN or SAN is checked. It's just that it's 'easy' to rely on an existing trust-store rather than implement something secure using private PKI.

Some providers who 'require' public TLS certs for mTLS even specify specific products and CAs (OV, EV from specific CAs) not realising that both the CAs and the roots are going to rotate more frequently in future.
nickf
·5 か月前·議論
You are correct, and the answer is - no-one using publicly-trusted TLS certs for client authentication is actually doing any authentication. At best, they're verifying the other party has an internet connection and perhaps the ability to read.

It was only ever used because other options are harder to implement.
nickf
·6 か月前·議論
It’ll be 5 years soon.
nickf
·7 か月前·議論
I was mostly just typing out what they had listed under 'products' on their pages. I'm aware of what Mozilla do, know folks there and that have been there. They've been roundly criticised for adding 'products' of questionable value to their core userbase, rightly so in my opinion.
nickf
·7 か月前·議論
...which is arguably the problem. Firefox. Thunderbird. That should be it. According to their own site, beyond that they have the browser app for mobile devices. A VPN service, an email-forwarding service, and MDN. Hardly 'many products'.
nickf
·7 か月前·議論
There are ways to do this as pointed out below - CNAME all your domains to one target domain and make the changes there. There’s also a new DCV method that only needs a single, static record. Expect CA support widely in the coming weeks and months. That might help?