“Support for Short-Term, Automatically-Renewed (STAR) Certificates in ACME”.https://twitter.com/Cryptoki/status/1165299507304816642 …
-
-
Replying to @ivanristic
I honestly don’t get why this is needed. Keys are cheap, and new keys are desirable, why go out if your way to enable re-use? CAS can re use validation information as well, why complicate the protocol to enable short cutting a few requests?
2 replies 0 retweets 0 likes -
Replying to @rmhrisk @ivanristic
An argument that operators use against short-lived certs is that empirically automated cert issuance has more downtime than OCSP. STAR allows issuance to work like OCSP - new certs distributed via a highly-available CDN and retrieved with unauthenticated GET.
3 replies 0 retweets 0 likes -
Key rotation is important, so STAR orders expire, after which the client can renew with a new key. So keys need not be any longer-lived under STAR than they are with today's long-lived certs.
2 replies 0 retweets 0 likes -
It may not be necessary for Google, but if this makes short-lived certs palatable to other operators, it's an improvement over the status quo, even if keys are not rotated ~daily.
2 replies 0 retweets 0 likes -
Replying to @__agwa @ivanristic
I’m not speaking as Google just Ryan; I get that it lets you renew against same key for a fixed period. That’s the most impactful element of the proposal since cached validations reduce need to recalibrate on renewal. I just ask why?
1 reply 0 retweets 0 likes -
Replying to @rmhrisk @ivanristic
Arguments like https://github.com/WICG/webpackage/issues/378#issuecomment-457011076 …: "7-day lifetime would limit uptime. In practice they see longer downtime periods for certificate issuance than OCSP."
1 reply 0 retweets 1 like -
Replying to @__agwa @ivanristic
In practice the reason they see that is they have been using legacy CAs that frequently experience hours of issuance outage. Making the issuance asynchronous doesn’t meaningfully change that a CA outage means you don’t get your new cert.
1 reply 0 retweets 2 likes
It seems like batch signing certs and pushing them out to CDNs will always be fundamentally more reliable than an Internet-facing signing-on-demand service, which can be affected by unexpected usage spikes, DoS attacks, buggy clients causing retry storms, etc.
-
-
Replying to @__agwa @ivanristic
It’s a bit like rearranging deck chairs on a sinking ship. If your a SAAS service, let’s say WordPress, where you need to spin up a new site for your customer who just completed a wizard, if your cert issuance is down your site is down.
1 reply 0 retweets 1 like -
Now with the batches signed certs you could have certs on a CDN that were pre produced for your existing customers so they don’t go down also.
1 reply 0 retweets 1 like - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.