Remix clone Hacker News

Desired by who?

There’s nothing stopping Apple and Google from issuing themselves certificates every 10 minutes. I get no value for doing this. Building out or expanding my own PKI for my company or setting up the infrastructure to integrate with Digicert or whomever gets me zero security and business value, just cost and toil.

Revocation is most often an issue when CAs fuck up. So now we collectively need to pay to cover their rears.

▲

crote 3 days ago | parent [-]

CAs fucking up every once in a while is inevitable. It is impossible to write guaranteed bug-free software or train guaranteed flawless humans.

The big question is what happens when (not "if") that happens. Companies have repeatedly shown that they are unable to rotate certs in time, to the point of even suing CAs to avoid revocation. They've been asked nicely to get their shit together, and it hasn't happened. Shortening cert lifetime to force automation is the inevitable next step.

	▲	Spooky23 3 days ago \| parent [-]
		Silly me, I’m just a customer, incapable of making my own risk assessments or prioritizing my business processes. You’re portraying people suing CAs to get injunctions to avoid outages as clueless or irresponsible. The fact is Digicert’s actions, dictated by this CA/Browser forum were draconian and over the top responses to a minor risk. This industry trade group is out of control. End of the day, we’re just pushing risk around. Running a quality internal PKI is difficult.