undefined | Better HN

0 pointsmark_round1d ago0 comments

That's really not good. Fortunately I'm not using any short-lived certificates like the recently announced 6 day certs, so have some breathing room. Without further details, I'd imagine anyone with a short-lived cert is getting a bit sweaty right now.

Let's Encrypt has become one of those pieces of critical Internet infrastructure that just quietly hums away in the background, the fact that they've stopped ALL issuance is deeply concerning.

0 comments

jaas1d ago

Stopping all issuance is an pretty standard response if a CA thinks what they are issuing might be non-compliant in any way. It's an action we're required to take. It's not necessarily a sign of a more dramatic failure mode or key compromise. That said, the impact is the same for as long as the downtime lasts so it is unfortunate and we're sorry for the disruption.

I don't think the premise behind short lived (six day) certificates being viable is that CA issuance never goes down. Sure, the runway is shorter, but not that short. Most down time is a few hours or less, which is not a problem for six day certificates that should be renewed every three days.

Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Kwpolska1d ago

> Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Are they going to be optional forever, or do you plan to eventually get rid of the longer lifetime options?

yrro15h ago

Ask the CA/Browser forum what they will insist upon

walrus011d ago

Considering the open source nature of Letsencrypt, I wonder what the barriers/costs would be (theoretically) to a wealthy benefactor who wanted to duplicate its server side infrastructure and a core staffing level of persons, and fund a "parallel" equally trusted, alternative entity with a solid governing board. Same general idea how Acton funded the Signal foundation.

Somewhere that none of the physical infrastructure/hosting environment overlapped with existing Letsencrypt stuff so that the failure of one entity would have zero blast radius affecting the other.

I know there's a long and complicated process to go through to become a trusted root CA and get your CA public cert auto-installed in every OS and browser trust store. Indeed in the early days of letsencrypt I recall their root CA certs were signed by other older root CAs.

dochtman1d ago

A lot of Let’s Encrypt is not the software but a bunch of auditing and process that ensure compliance and make it legible to the required auditors.

walrus011d ago

I understand there's probably a big thorny problem of duplicating the corporate process/policies on the human level that ensure compliance, but is the back-end software pipelining stuff to CT logs not also something that can be replicated? Or is it not part of the server side stuff which has been open sourced?

https://letsencrypt.org/docs/ct-logs/

1 more reply

computer231d ago

Google has their own free ACME endpoint: https://pki.goog/

pseudalopex1d ago

They implied it used a GCP account. It would require to give Google personal information, a phone number, and automatic payment permission. And Google not disable your account because your spouse uploaded images for your child's doctor.

nijave1d ago

ZeroSSL should also be drop in

1 more reply

jcims1d ago

I just find it incredible that in 30+ years the industry hasn't adapted one bit to the brittle failure modes of certificates. I did some subcontract work with Verisign to deploy their CA infrastructure back in the early oughties and it felt like a solution was overdue way back then. I was at Google in the teensies when gmail broke due to expired SMTP certs. WAAAY overdue by then. Here we are, a decade later and it's still the same lol.

yjftsjthsd-h1d ago

Other than automating renewal - which we have made huge strides on - what adaption would you want to see?

jcims1d ago

The number one thing for me would be to standardize methods to implement soft failures. Minimally in standard clients and libraries the ability to warn when certs are nearing expiration. Cert extensions to declare lifecycle expectations and possibly even warning endpoints for notification. Basically some way to empirically look at a valid cert and know something is wrong before it fails.

There are all sorts of potential privacy/security issues with any feature built in this area so it would have to be done carefully, but I think useful improvements could easily be made.

AlotOfReading1d ago

I'd like to see better support for networks that aren't connected to the broader internet, or moving away from X.509. Note that these are contradictory. X.509 was intentionally designed to support offline verification and has a lot of elaborate ceremony to support it (like all the rest of the OSI stack). The industry just doesn't, so we get the worst of both worlds.

packetlost1d ago

I mean, what's the alternative? I struggle to come up with a solution that doesn't boil down to the same primitive operations and trust model.

Havoc1d ago

>pieces of critical Internet infrastructure that just quietly hums away in the background,

And donation supported no less

cachius1d ago

Wonder what incident that even could have been.

nottorp1d ago

> like the recently announced 6 day certs

Just you wait for the 1 hour and 59 minutes certs! For security!

j / k navigate · click thread line to collapse

0 comments

jaas1d ago

Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Kwpolska1d ago

> Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Are they going to be optional forever, or do you plan to eventually get rid of the longer lifetime options?

yrro15h ago

Ask the CA/Browser forum what they will insist upon

walrus011d ago

Somewhere that none of the physical infrastructure/hosting environment overlapped with existing Letsencrypt stuff so that the failure of one entity would have zero blast radius affecting the other.

dochtman1d ago

A lot of Let’s Encrypt is not the software but a bunch of auditing and process that ensure compliance and make it legible to the required auditors.

walrus011d ago

https://letsencrypt.org/docs/ct-logs/

1 more reply

computer231d ago

Google has their own free ACME endpoint: https://pki.goog/

pseudalopex1d ago

nijave1d ago

ZeroSSL should also be drop in

1 more reply

jcims1d ago

yjftsjthsd-h1d ago

Other than automating renewal - which we have made huge strides on - what adaption would you want to see?

jcims1d ago

There are all sorts of potential privacy/security issues with any feature built in this area so it would have to be done carefully, but I think useful improvements could easily be made.

AlotOfReading1d ago

packetlost1d ago

I mean, what's the alternative? I struggle to come up with a solution that doesn't boil down to the same primitive operations and trust model.

Havoc1d ago

>pieces of critical Internet infrastructure that just quietly hums away in the background,

And donation supported no less

cachius1d ago

Wonder what incident that even could have been.

nottorp1d ago

> like the recently announced 6 day certs

Just you wait for the 1 hour and 59 minutes certs! For security!

j / k navigate · click thread line to collapse