[CentOS] [Fwd: Re: https and self signed]
James B. Byrne
byrnejb at harte-lyne.ca
Fri Jun 17 16:50:41 UTC 2016
On Fri, June 17, 2016 12:31, Valeri Galtsev wrote:
> On Fri, June 17, 2016 10:19 am, James B. Byrne wrote:
>> Keys issued to individuals certainly should have short time limits
>> on them. In the same way that user accounts on systems should
>> always have a near term expiry date set. People are careless.
>> And their motivations are subject to change.
> James, though in general one is likely to agree with this, I still
> consider the conclusion I came to after discussions more than decade
> ago valid for myself. Namely: forcing everyone to change password
> often pisses careful people off for nothing. Passwords they create
> and carefully keep can stand for decades, and only can be
> compromised on some compromised machine.
But I never mentioned anything about passwords. I quite agree with
you with respect to avoiding needless password churn. What I wrote
was specifically user accounts and their expiry dates. These should
be short. Say six to twelve months or so. When the account expires
then it can be renewed for another six or 12 months. The password for
it is not changed.
One can always write a script to automatically search for and report
pending expirations. There is no real need for accounts to actually
expire. But, even if accounts do expire for active users then it is
not much of a hardship to report the fact and to have them
reactivated. On the other hand, disused accounts never get reported
and remain deactivated.
Also, when a person leaves our employ and somehow the cancellation of
all or some their accounts gets overlooked in the out-processing then
shortly their accounts will be deactivated automatically. A fail safe
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the CentOS