Specific schedule:
March 15, 2026 - Cert validity (and Domain Control Validation) limited to 200 days.
March 15, 2027 - Cert validity (and Domain Control Validation) limited to 100 days.
March 15, 2029 - Cert validity limited to 47 days and Domain Control Validation limited to 10 days.
There's gonna be a lot of complaints about this in change control meetings over the next year200 days.
#Certificate #Certificate_Management #CABForum #PKI #WebPKI #SSL #TLS
Buckle up, kids. Automate your certificate rotations or die trying. WebPKI certificate validity period will be 47 days by 2029. https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/
#Certificate #Certificate_Management #CABForum #PKI #WebPKI #SSL #TLS
Firefox 136 looks poised to enforce Certificate Transparency.
It may be late, but combined with CRLite (and its other Web PKI progress), it may soon be the browser with the most robust Web PKI support.
While I would still say that Chromium generally wins on the security front, I’m happy to see the gap narrow with time and to see Firefox occasionally inch ahead in some areas.
Originally posted on seirdy.one: See Original (POSSE). #Firefox #WebPKI
Hmm. #CERTBUND had just revoked their main #WebPKI certificate:
https://crt.sh/?id=12765055285
It seems, some browsers actually get this information, mine don't.
New blog post: Post-OCSP certificate revocation in the Web PKI.
With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.
I think this is the most comprehensive current look at certificate revocation right now.
For a blog post I’m writing about dealing with certificate revocation, here are the topics I’m covering:
notAfter)Anything else I should cover?
I should stop reading the CA section of the Mozilla bug tracker. Wow can corporations have a hard time understanding plain English.
OCSP Stapling: still a thing? I lose track of which of the various attempts at solving #WebPKI revocation are still current.
Today, our #WebPKI session 😍
If you weren't sleeping during the last decade, you know that @letsencrypt and #CertificateTransparency (CT) have revolutionized web security ⚡️
#pts24 will welcome no less than:
- Aaron Gabble, #techlead at @letsencrypt
- Philippe Boneff, #techlead of #Google CT team
- and an offensive research by Kévin Schouteeten & Paul Barbé from #Synacktiv on certs issuance in managed K8s env.
IMHO, you shouldn't miss this session!
👉 REGISTER https://pretix.eu/passthesalt/2024/
Soon, we will publish a focused presentation of each of the 9 different sessions (#DFIR, #crypto, #WebPKI etc) that will be given during #pts24 😍
Want to see right now our detailed program?
👉 https://cfp.pass-the-salt.org/pts2024/schedule/
To register (FREE)?
👉 https://2024.pass-the-salt.org/
Apropos of nothing, here's a fun question at the intersection of #linguistics and the #webpki. Given the following sentence:
"...has determined that using the FQDN in the Certificate is no longer legally permitted."
which of the following two things do you think is no longer legally permitted?
Do you like security? Do you like privacy? Cryptography? Do you like working for a public benefit non-profit instead of an investor-beholden corporation?
Let's Encrypt is hiring for someone to join our SRE team and help run the largest Certificate Authority in the world! Come work with me and some of the most wonderful folks in tech, to make the web a better place.
Normally, WebPKI certificates lack a secure issuance process and an attacker able to MITM unauthenticated HTTP(S) can obtain one.
GrapheneOS uses the CAA accounturi feature to securely pin our Let's Encrypt account keys for each of our servers for secure certificate issuance.
#grapheneos #privacy #security #webpki #letsencrypt #accounturi
The Internet Last Week
* AS PAth (ASPA) verification objects in the RPKI
https://mailarchive.ietf.org/arch/msg/sidrops/xXd8d42FSYT_RPW1h6gif6Ew0_g/
* Internet Governance Forum
https://igf2022.intgovforum.org/en
https://www.intgovforum.org/en/content/igf-2022-outputs
* Trustcor root certs removal
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/
* SEAMEWE-5 undersea cable cut
https://www.theregister.com/2022/11/30/seamewe5_cut_outage_apac_africa/
https://twitter.com/PTAofficialpk/status/1597632957627658240?ref_src=twsrc%5Etfw
https://twitter.com/netblocks/status/1597625107333238784?ref_src=twsrc%5Etfw
To err is human, to forgive is divine
https://unmitigatedrisk.com/?p=711 #WebPKI #ACME #FailOver
From the Washington Post:
Web browsers drop mysterious company with ties to U.S. military contractor
https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/
A Boy Scout is always prepared https://unmitigatedrisk.com/?p=710 #WebPKI #ACME #ARI
Let's Encrypt's parent organization, the Internet Security Research Group #ISRG, also released our Annual Report today! Take a look at all the work we've been up to, and what we're hoping to do in the coming year:
https://www.abetterinternet.org/documents/2022-ISRG-Annual-Report.pdf
And Eric Rescorla (CTO of Firefox) just published this fantastic writeup about #eIDAS, the EU's attempt to legislate that browsers *must* trust certain root certificates that issue #QWAC certs, a specific kind of EV cert. It also starts with a great overview of the whole #WebPKI system, in order to set up the argument that eIDAS is Bad for the Internet.
https://educatedguesswork.org/posts/eidas-article45/
It goes on to propose alternate designs that achieve the EU's goals without compromising trust. Well worth a read!
