• fartsparkles@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    5
    ·
    20 days ago

    Smells like Apple knows something but can’t say anything. What reason would they want lifespans cut so short other than they know of an attack vector that means more than 10 days isn’t safe?

    AFAIK they’re not a CA that sells certs so this can’t be some money making scheme. And they’ll be very aware how unpopular 10 day lifespans would be to services that suck and require manual download and upload every time you renew.

    • 0x0@programming.dev
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      18
      ·
      20 days ago

      Smells like you didn’t read the article, it’s an ongoing trend:

      Max lifespans of certs have been gradually decreasing over the years in an ongoing effort to boost internet security. Prior to 2011, they could last up to about eight years. As of 2020, it’s about 13 months.

      • li10@feddit.uk
        link
        fedilink
        English
        arrow-up
        35
        arrow-down
        1
        ·
        20 days ago

        Reducing it to one year made sense, one year down to 10 days is actually a fucking massive difference. Practically speaking, it’s a far, far bigger change than 8 years down to 1.

        This isn’t just an “ongoing trend” at this point, it would be a fundamental change to the way that certificates are managed i.e. making it impossible to handle renewals manually for any decently sized business.

        • Cort@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          19 days ago

          They never said the ongoing trend wasn’t logarithmic. By 2030 you’ll be updating certs 6-8 times a day! Please drink verification can.

      • fartsparkles@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        1
        ·
        edit-2
        20 days ago

        Thank you for the smug response however I did indeed read the article and going from 13 months to 10 days is not a trend but a complete rearchitecture of how certificates are managed.

        You have no idea how many orgs have to do this manually as their systems won’t enable it to be automated. Following a KBA once a year is fine for most (yet they still forget and websites break for a few days; this literally happened to NVD of all things a few weeks ago).

        This change is a 36x increase in effort with no consideration for those who can’t renew and apply certs programmatically / through automation.

        • corsicanguppy@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          20 days ago

          This change is a 36x increase in effort with no consideration for those who can’t renew and apply certs programmatically / through automation

          Don’t worry. All that old gear is at least 45 days old - so old - and isn’t an apple product anyway probably. Ergo, support isn’t their issue and you will have to take that up with your OEM because la-la-la-laaaaa, can’t hear you. Wanna go ride bikes?

        • 0x0@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          6
          ·
          20 days ago

          I did indeed read the article

          Smells like Apple knows something but can’t say anything.

          Then do explain your conspiracy theory. Sectigo could go for a money grab, otherwise… probably just forcing automation without thinking of impact, as usual.