On Mon, Aug 20, 2018 at 05:28:15PM -0700, Michael Casadevall via dev-security-policy wrote: > On 08/19/2018 12:56 PM, Eric Mill via dev-security-policy wrote: > > The trend is away from manual replacement, not towards it -- and that's > > true for individual people, for large enterprises, and for smaller > > companies in between. For individuals and smaller enterprises, this > > manifests mostly in the increasing outsourcing of certificate management to > > third parties (e.g. SquareSpace, CloudFlare, AWS Certificate Manager, > > etc.). > > In my limited experience, this trend is *because* of Let's Encrypt > getting them to do it four times a year.
Hardly. Anyone who deals with certificates at even modest scale has been working on automating certificate issuance for a long time ($DEITY knows I certainly have been). Most CAs have some way to get DV certificates automatically, it's just that they're unique to each CA (hurrah customer lock-in!) and generally abysmally poor UX. It's simply that Let's Encrypt was the first one to provide a sensible means of automating the entire process, along with providing useful tooling to make it practical for the vast majority of people to have automated certificate issuance, which means that shorter lifetimes become more practical. > If we could fix revocation so it could work effectively, longer lived > certificates would be less of a risk factor. That's somewhat akin to saying "if we could just fix that silly speed-of-light problem, we'd be having dinner in orbit around Sirius A". Actually, speed-of-light *is* somewhat related to (one of) the problems of revocation... - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy