SRE at Let's Encrypt, though these toots are my own.
I'll be speaking at the Ontario Cryptography Day!
https://ontario-crypto-day.github.io/
Where: University of Waterloo Davis Centre (DC) 1301 and 1302
When: Friday, June 6, 2025, from 10am to approx. 4:30pm
I hope anyone in the area interested in cryptography is able to attend. It's a free event, but registration is required.
@rsalz interesting that the criteria is in ALL root stores, which might be an issue in some cases as root stores evolved.
Eg, a new CA that's trusted directly in Chrome, with a cross-sign from an old CA. Perhaps Chrome only trusts the new CA, and some other program like Microsoft (who aren't taking new roots right now) only supports the old CA providing the cross-sign.
A certificate chain with the cross-sign will work with both programs, but Akamai's policy here seems like it may exclude said CA.
@MichaelPorter GPS receivers in datacenters provide an accurate source of time, which is how basically everyone sets their clock now. It's how your phone and computer know the time, though maybe one or two steps away from GPS.
Of all the things I didn’t expect to ever happen, iOS Safari actually got a certificate viewer in 18.4! https://webkit.org/blog/16574/webkit-features-in-safari-18-4/#connection-security
https://sgued.fr/blog/der-pem-cert/
New blog post.
Can a certificate be at the same time a valid PEM file and a valid DER file? Turns out, yes!
Edit: Turns out, you can even make it work with the openssl CLI. I updated the post thanks to an hint by @levitte !
We've issued our first short-lived (6 day) certificate! https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/
@zash Yes. If you're using Let's Encrypt for client certs, start planning a migration now.
@ryanc Splitting S/MIME from TLS roots has already been in progress. I'm less familiar with the details as we don't operate an S/MIME root, but I believe Mozilla and Chrome already have some requirements around that
Chrome has published version 1.6 of their root store policy.
Notably, this contains a timeline for deprecating use of the TLS Client Auth extended-key-usage inside the PKIs included in their program.
If you currently use TLS Client Auth from a publicly trusted CA, you may need to take action.
> ... certificates issued on or after June 15, 2026 MUST include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
@ondra @argv_minus_one
As an extra heads-up on this note, Android's also going to start enforcement soon, opt-in per-app, just announced in https://groups.google.com/g/certificate-transparency/c/ofE05kCAtIk/m/XNiNOi80AAAJ
@ondra @argv_minus_one Thanks. I agree Firefox should be pre-announcing these big changes sooner.
As a CA, I am very much interested in understanding issues that people using our certificates may run into, and I'm not sure I fully understand the breakage here, which is why I'm asking.
We monitor what SCTs we insert in certificates against the different browser's policies to make sure we have high compatibility with all CT-enforcing clients, and I got Firefox to make one change prerelease to avoid one edge-case at least. So if there's additional incompatibility I very much want to know!
Can you say more about what the carveout Chromium has here that Firefox is missing?
Certificate Transparency requires a pair of "Signed Certificate Timestamps" from logs be provided to the browser. They're usually embedded in the certificate by the issuing CA, though there's technically two additional options (in a stapled OCSP response, or provided by the webserver in a TLS extension).
There's no online querying, though some browsers (like Chrome, for users who have opt-in to enhanced safe browsing) do some random sampled reporting of observed SCTs to detect misbehaving logs.
Firefox was the biggest browser that didn't require CT, I think.
Congratulations to the Firefox team for shipping CT enforcement!
> Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA/m/Q4c89XG-EAAJ
I'm speaking at #SREcon in Santa Clara this March! Come learn how Let's Encrypt issues millions of certificates with just a handful of staff and servers! https://www.usenix.org/conference/srecon25americas/presentation/mcpherrin
@jarek oh huh thanks, I do actually think I can get some stuff together by Sunday
Useless Projection #6: The Asymmetric Monstrosity. A combination of the sinusoidal, Mollweide, Equal Earth, and cylindrical equal-area projections. It's all equal-area*, so it's suitable for the classroom.
(I now have a goal for this year: make an elaborate wall map in this projection).
*I actually probably got the scaling wrong on the cylindrical equal-area part, but I'll work on that for the next draft, when I make the "real" map
Be aware of the Makefile effect
https://blog.yossarian.net/2025/01/10/Be-aware-of-the-Makefile-effect
@benjojo just watched the talk recording! Do you have any info about the “repeating frames” trick you mentioned some devices do for low bitrate links?
