On Thu, Aug 16, 2018 at 6:52 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> It seems that my response to this presentation has brought out the crowd > of people who are constantly looking to reduce the usefulness of > certificates to anyone but the largest mega-corporations. > > To summarize my problem with this: > > - While some large IT operations (and a minority of small ones) run > fully automated setups that can trivially handle replacing > certificates many times per year, many other certificate holders treat > certificate replacement as a rare event that involves a lot of manual > labor. Shortening the maximum duration of certificates down to Let's > encrypt levels will be a massive burden in terms of wasted man-hours > accumulated over millions (billions?) of organizations having to do 4 > times a year what they used to do every two or five years. > The trend is away from manual replacement, not towards it -- and that's true for individual people, for large enterprises, and for smaller companies in between. For individuals and smaller enterprises, this manifests mostly in the increasing outsourcing of certificate management to third parties (e.g. SquareSpace, CloudFlare, AWS Certificate Manager, etc.). For larger enterprises, the same outsourcing is also present and is mitigating manual rotation burdens, but some are also investing in their own systems for automation inside their environments. I've seen several spring up in enterprise environments I'm close to in the last few years in order to handle the increasing pressure to secure connections by default even when the certificate volume is high. Reducing certificate lifetimes to 13 months, in addition to addressing the real security issue identified by the Lost and Found Certificates presentation, is likely to further these trends, which would be a positive development both for user security and enterprise agility. - While infinitely wealthy organizations can afford getting separate > certificates for each DNS name, and while lowest-security (DV) > certificates are now available for zero dollars in the US, SANs remain > significant in case of high security validation (OV, EV) that costs > real money and effort, both to pay the CA and to provide evidence of > human and organizational genuineness, such as showing government IDs, > obtaining certified copies of registration statements, answering > validation phone calls to CEOs at strange hours etc. > DV certificates are appropriate for even the largest of organizations, and are likely to supplant OV/EV certificates over time. For an example by one of the largest enterprises in the world, see the U.S. Department of Defense's policy changes to allow and encourage the use of DV certificates throughout its public-facing infrastructure, and their public commitment to Congress to use this policy change to complete their public HTTPS-only transition by the end of 2018: https://www.wyden.senate.gov/imo/media/doc/wyden-web-encryption-letter-to-dod-cio.pdf > > Off topic notes related to this thread: > > - It is bad form to reply to posts with a personal e-mail cc-ed to the > mailing list unless explicitly requested by the original poster. > So you're aware, this is the default behavior of "Reply All" for this list, at least in Gmail. If this creates a particular hassle for people, I can personally try to remember to remove their emails when replying to the list -- but I think the only practical way to address this would be to modify the list settings in some way, rather than ask for changes from individual posters. -- Eric _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
