Upcoming Changes to Let's Encrypt Certificates

Posted by schmuckonwheels 1 day ago

Upcoming Changes to Let's Encrypt Certificates(community.letsencrypt.org)

312 points | 293 commentspage 3

maltris 22 hours ago|

Wondering: Is there a good tool for centralized ACME cert management when one runs a large infrastructure, highly available, multi location where it makes little sense to run the ACME client directly on each instance or location?

lousken 1 day ago||

I am not sure how I feel about this solution. It is already painful to deal with certs on every single piece of IT equipment. Unless you create and manage your own CA and manage it, which is an extra burden, what is the point of this? This will only create more janky scripts and annoyances for very little benefit.

What's next? Enforcing email signing with SMIME or PGP?

jcims 1 day ago||

I used to be knee deep in PKI stuff, now I hardly pay attention.

Two quick questions:

1 - Are there any TLS libraries that enable warnings when certs are nearing expiration?

2 - Are there any extensions in the works (or previous failed attempts) for TLS to have the client validate the next planned certificate and signal both ends when that fails?

ekr____ 1 day ago|

To the best of my knowledge the answer to "2" is no.

jcims 15 hours ago||

I did a bunch of work with Verisign as a contractor back in the early 2000s and got to see some of the systems and infrastructure issuing a good portion of the world's certificates at that time. 15 years later I was at Google when they let an intermediate certificate in their SMTP certs expire and had a major GMail outage. At work last week we had a major outage related to certificate issues. Of course there are thousands upon thousands of stories like that in between.

The chains of trust you can build with PKI have been incredibly useful and instrumental to securing code, data and traffic, but the fact that it's still subject to such brittle failure modes is bemusing.

PunchyHamster 1 day ago||

The whole thing is very silly security wise anyway.

Okay, so you cert leaked. Will having it leaked for 1.5 months be substantially less dangerous than 90 days? Nope, you're fucked from the day one, it's still massively worse than "a browser asynchronously checks whether site's cert has been revoked"

h43z 1 day ago||

Did I understand that correctly that I will be able to get a certificate for an IP?

phasmantistes 19 hours ago|

Yep! Should be available to the general public (as long as you're using an ACME client that can be configured to request a specific profile) later this week.

ChrisArchitect 1 day ago||

Decreasing Certificate Lifetimes to 45 Days

https://news.ycombinator.com/item?id=46117126

kmeisthax 1 day ago||

Let's Encrypt, you're not even a for-profit business; there's nobody you need to shield the blow from. Just say "we're reducing certificate lifetimes to comply with CA/Browser Forum rules". You don't need to do the cowardly "replace lower with change" in the headline thing.

danparsonson 1 day ago||

The announcement is about several changes they're making, not just about cert lifetimes.

victorbjorklund 1 day ago||

That does not make any sense. Plenty of things on the internet are Open Source / Non-profit yet it affects us a lot. Of course it’s good to give people relying on your stuff heads-up etc.

wizzwizz4 1 day ago||

GP is criticising the use of language in the headline, not the fact there's an announcement.

b112 1 day ago||

Plus, the announcer is standing in front of a hedge.

I'm not sure why, but every corporate picture I've seen of someone, in this context, is standing in front of a hedge. Seems to be a California thing?

(Where I live, we only have leaves on hedges 6 months of the year)

asadotzler 1 day ago|||

It's "let's not take your picture inside of the office because everyone hates the inside of offices. let's take your picture outside instead, near the office, but not featuring the office. oh, that tree over there is nice, but darn, the lighting underneath its branches isn't great. hey, that hedge over there reads great in light test and it works with what you're wearing, so, yeah, that'll do just fine."

mcpherrinm 1 day ago||

It was actually outside of my small apartment with bad lighting

tptacek 1 day ago|||

The announcer, Matthew McPherrin, is a frequent commenter here (and a stand-up person deeply involved with information security).

_jzlw 1 day ago|

[flagged]