The concern is that a compromised device could leak a cert that is then used for attacks.
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I’m curious too: show me how it’s not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in “better safe than sorry” snake oil.
Are we trading certs lasting ‘too’ long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
Are compromised private keys that big of a problem to cause all this headache?
Geez.
This will keep getting shorter until it turns into a calculus problem.
You won’t even get a certificate, just a token from some SSL token warehouse. Why should I trust it? Because some random company says so!
Lol, wouldn’t put it past them. Like TLS session keys we have now, but every session key has to be requested from the SSL token warehouse.
There are lots of companies and vendors that don’t automate cert renewal. They are all going to be forced into automation with this change.
The concern is that a compromised device could leak a cert that is then used for attacks.
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I’m curious too: show me how it’s not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in “better safe than sorry” snake oil.
Are we trading certs lasting ‘too’ long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
You can still use self signed certs. You just can’t use it on the public internet.
You can, but it might scare off some of your audience.