undefined | Better HN

0 pointsPunchyHamster2mo ago0 comments

> Certificate transparency effectively means that any government actually uses a false certificate on the wider web and their root cert will get revoked.

the ENTIRE reason the short lifetime is used for the LE certs is that they haven't figured out how to make revoking work at scale.

Now if you're on latest browser you might be fine but any and every embedded device have their root CAs updated only on software update, which means compromise of CA might easily get access to hundreds of thousands devices.

0 comments

Dylan168072mo ago

> the ENTIRE reason the short lifetime is used for the LE certs is that they haven't figured out how to make revoking work at scale.

And 200 is not "at scale". The list of difficulties in revoking roots is a very different list from the problem you're citing.

> any and every embedded device

Yes it's flawed but it's so much better than the previous nothing we had for detecting one of the too-many CAs going rogue.

j / k navigate · click thread line to collapse