undefined | Better HN

0 pointshananova3d ago0 comments

The whole point of these shorter certificate durations is to force companies to put in automation that doesn't require 14 layers of paperwork. Some companies will be stubborn, and will thus be locked in an eternal cycle of renew->get paperwork started for renew. Most will adapt.

0 comments

ajsnigrutin1d ago

It's the government... they have 30 different services just in that department, made by 30 different companies with 30 different support companies, two of those don't exist anymore, 3 have been bought by cisco, two by google, 2 services are behind some old palo alto web proxy that's centrally managed by some other department, one service is written in cobol, one requires the cert to be on a usb flash drive and another on a memory stick.

It's cheaper to pay someone just to take care of the certs (unless their bosses and procurement and accounting messes up) than to fix all that.

I've seen government stuff, i wouldn't touch it with a 5m pole.

hananovaOP1d ago

I don't see how any of that is the CA's problem. As far as I'm concerned, the CA's and browser vendors are entirely in the right to go "Here's the new rules. Adapt. Or don't, we don't care."

ajsnigrutin13h ago

Well, they didn't, and you have to click through "i understand" (or whatever) to see the contents from servers with expired certs. Usually you need files from them and not vice-versa, sp as far as they're concerned, it's your problem now.

j / k navigate · click thread line to collapse