On 06/20/2016 07:47 AM, James B. Byrne wrote:
On Sat, June 18, 2016 18:39, Gordon Messmer wrote:
I'm not interested in turning this in to a discussion on epistemology. This is based on the experience (the evidence) of some of the world's foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).
Really? Then why did you forward your reply a private message to a public mailing list if not to do exactly what you claim you wish to avoid?
Accidents happen. I didn't intentionally mail you off-list, and when I noticed that I had, seconds later, I re-sent the message to the list, expecting that you'd notice and understand that I intended to keep the conversation on the list.
..which isn't relevant to the question of what you consider "evidence" of security practice implications.
Look, go to https://www.google.com/ right now and tell me what you see. Do you suddenly distrust the internet's single largest domain? Do you think they implement poor security practices?
For someone who wants "evidence" you make a lot of unsupported assertions. You do see the irony, don't you?
The difference is that I state this is my opinion and I do not claim it as a fact. Your statement claimed a factual basis. I was naturally curious to see what evidence supported your claim.
Citation required.
Allow me an example. To quote you: "The usual way a private key gets compromised is by theft or by tampering with its generation. Putting yourself on a hamster wheel of constant certificate generation and distribution simply increases the opportunities for key theft and tampering."
Now, when you asked "what possible benefit accrues from changing secured device keys on a frequent basis?" I pointed you to letsencrypt's documentation, which describes the benefits of 90-day certificates.
So, please describe how I am "claiming a factual basis" while you are not.
Automated security is BS. It has always been BS and it always will be BS. That is my OPINION. It may not be a fact for I lack empirical evidence to support it. However, it has long been my observation that when people place excessive trust in automation they are are eventually and inevitably betrayed by it. Often at enormous cost.
This is what I consider "enormous cost": https://en.wikipedia.org/wiki/Heartbleed#Certificate_renewal_and_revocation
After a major security bug which exposed private keys, hundreds of thousands of servers did not take the required action to secure their services, and the vast majority of those that took *some* action did it incorrectly and did not resolve the problem.
Had those sites been using letsencrypt and renewing automatically, the exposed keys would have been replaced within 90 days (typically 60 max, so 30 days on average). Instead, it is likely that the problem will remain a risk for "months, if not years, to come."
And that's empirical evidence, which you have yet to offer.
This impediment however is strictly an artefact of signing code with short term certificates. I simply had to reset the date on my MB back to some future date when the certificate was valid and everything worked fine.
Apple's intermediate certs have a 10 year lifetime. If you consider that "short term" then I fear that nothing is suitable in your opinion.
But hey, what is my time worth in comparison to the security those certificates provided? SECURITY that was trivially evaded in the end.
Fixing your clock is not "evading" security.
Exactly what mindless person or committee of bike-shedders decided that software should be distributed so that copies of it expire?
Expiration is a fundamental aspect of x509 certificates. Do you understand x509 at all?