On Fri, Dec 13, 2024 at 08:15:43AM +0000, Peter Gutmann wrote: > Matt Palmer <[email protected]> writes: > >On Thu, Dec 12, 2024 at 09:56:11AM -0500, Jeffrey Walton wrote: > >> I share your concern over short-lived certificates, but for a > >> different reason: key continuity. Key continuity has proven to be a > >> much better security property than gratuitous key rotations based on > >> reading of tea leaves by tasseomancers. > > > >Do you have any citations you can share? > > Google "SSH", that's been running for about the same time as TLS using key > continuity. TLS has a booming global cybercrime industry built around the > failure of certificates to deal with spoofing, SSH has very little in the way > of spoofing (granted they're very different protocols serving different > purposes).
Yes, they're very, _very_ different protocols, serving very, _very_ different purposes. I do a lot of SSHing, but its to a fairly stable, rarely-changing set of names. The set of machines I make HTTPS connections to is far broader and ever-changing. TOFU for HTTPS would be... really something. > >From a brief web search, I'm not finding very much on the topic of key > >continuity. The most relevant-looking result is > >https://datatracker.ietf.org/doc/draft-gutmann-keycont/, which is an I-D that > >expired in 2009, and does not appear to have been pursued since. > > Bit of an odd choice to take an ancient expired RFC draft given the large > amount of research publications around this, The research publications areen't coming up on DDG, but your draft was -- that's why I made the "odd choice" of mentioning it. Would you be able to share links to some more relevant reading material? - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e44b7949-122e-45a6-8fb0-5bc9e6247fd2%40mtasv.net.
