[CentOS] https and self signed

Sat Jun 18 22:39:06 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 06/18/2016 02:49 PM, James B. Byrne wrote:
> On Fri, June 17, 2016 21:40, Gordon Messmer wrote:
>> https://letsencrypt.org/2015/11/09/why-90-days.html 
> With respect citing another person's or people's opinion in support of
> your own is not evidence in the sense I understand the word to mean.

I'm not interested in turning this in to a discussion on epistemology.  
This is based on the experience (the evidence) of some of the world's 
foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).

> The assertion expressed in the link given above that 90-day
> certificate lives will serve to increase certificate renewal
> automation is at best a pious hope.

You are ignoring the fact that the tool used to acquire letsencrypt 
certificates automates the entire process.  They're not merely hoping 
that users will automate the process, they're automating it on behalf of 
users.  They've done everything but schedule it for their users.

> One that is unlikely to be
> realised in my opinion for the simple reason that automated and
> therefore mostly unobserved security systems are a primary target for
> tampering.

For someone who wants "evidence" you make a lot of unsupported 
assertions.  You do see the irony, don't you?

> Likewise the authors' opinion that pki certificates are in
> general just casually left laying around to be compromised displays a
> certain level of what reasonably could be considered elitist contempt
> for the average human's intelligence.

Or, you know, a review of actual security problems in the real world.

> Even as arguments I find these two positions are less than compelling.
>   And in no respect could either opinion be considered evidence.

That's fine.  I don't really need to convince you, personally, of 
anything.  But for the security of the internet community in general, 
I'll continue to advocate for secure practices, including pervasive 
security (which means reducing barriers to the use of encryption at all 
points along the process of setup).