On Sat, June 18, 2016 18:39, Gordon Messmer wrote:
On 06/18/2016 02:49 PM, James B. Byrne wrote:
On Fri, June 17, 2016 21:40, Gordon Messmer wrote:
With respect citing another person's or people's opinion in support of your own is not evidence in the sense I understand the word to mean.
I'm not interested in turning this in to a discussion on epistemology. This is based on the experience (the evidence) of some of the world's foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).
Really? Then why did you forward your reply a private message to a public mailing list if not to do exactly what you claim you wish to avoid?
The assertion expressed in the link given above that 90-day certificate lives will serve to increase certificate renewal automation is at best a pious hope.
You are ignoring the fact that the tool used to acquire letsencrypt certificates automates the entire process. They're not merely hoping that users will automate the process, they're automating it on behalf of users. They've done everything but schedule it for their users.
One that is unlikely to be realised in my opinion for the simple reason that automated and therefore mostly unobserved security systems are a primary target for tampering.
For someone who wants "evidence" you make a lot of unsupported assertions. You do see the irony, don't you?
The difference is that I state this is my opinion and I do not claim it as a fact. Your statement claimed a factual basis. I was naturally curious to see what evidence supported your claim.
Likewise the authors' opinion that pki certificates are in general just casually left laying around to be compromised displays a certain level of what reasonably could be considered elitist contempt for the average human's intelligence.
Or, you know, a review of actual security problems in the real world.
Even as arguments I find these two positions are less than compelling. And in no respect could either opinion be considered evidence.
That's fine. I don't really need to convince you, personally, of anything. But for the security of the internet community in general, I'll continue to advocate for secure practices, including pervasive security (which means reducing barriers to the use of encryption at all points along the process of setup).
I know, and we put infants on no-fly lists for essentially the same religious beliefs. The benefit of so-called general security for the rest of us who do not have to bear its individual specific cost. The is no evidence that this sort of stuff works. It is just done so that if anything bad happens the authorities can claim that they did something preventative which they can point to. Regardless of how ineffectual it was.
Automated security is BS. It has always been BS and it always will be BS. That is my OPINION. It may not be a fact for I lack empirical evidence to support it. However, it has long been my observation that when people place excessive trust in automation they are are eventually and inevitably betrayed by it. Often at enormous cost.
Let me give you an example of stupidity in action with respect to signed certificates. I have a MacBookPro c. early 2009. There have been five or six major releases of OSX since then. Being a cautious type I download the upgrade installer apps and archive them before installing and upgrading.
Over this past weekend my MB stopped booting. It would get to the Apple symbol and go black. Much trial, error, and research later I discover that this is sometimes occurs when a MB has been repeatedly upgraded and that a clean install is the recommended cure. Oh, by-the-way, if you ever have to do this then do not use the Apple Migration Assistant app when you are done. You will be sorry.
So, I get out my archived Installer app, go to install it and BANG! My MB proclaims that "Somebody has tampered with the application or it is corrupted!". OH NO!
This impediment however is strictly an artefact of signing code with short term certificates. I simply had to reset the date on my MB back to some future date when the certificate was valid and everything worked fine. Of course this took me a great deal of frustrating effort to discover what had happened to all of my archived copies and how to fix it. In the middle of a system recovery I might add.
But hey, what is my time worth in comparison to the security those certificates provided? SECURITY that was trivially evaded in the end. Exactly what mindless person or committee of bike-shedders decided that software should be distributed so that copies of it expire? What security issue was addressed by this decision? What benefit to the public was achieved?
When real people suffer real inconvenience and real loss of productive effort because of mindless adhesion to bromide based cures that are blandly offered for ills that mostly exist in the imagination of the ignorant then yes; I require evidence of their efficacy. And lining up a bunch of band-wagon pundits chanting the same vacuous refrains is not evidence.
And this one is going to the list.