this post was submitted on 16 Oct 2024
192 points (91.4% liked)
Technology
60123 readers
4921 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Smells like Apple knows something but can’t say anything. What reason would they want lifespans cut so short other than they know of an attack vector that means more than 10 days isn’t safe?
AFAIK they’re not a CA that sells certs so this can’t be some money making scheme. And they’ll be very aware how unpopular 10 day lifespans would be to services that suck and require manual download and upload every time you renew.
Smells like you didn't read the article, it's an ongoing trend:
Reducing it to one year made sense, one year down to 10 days is actually a fucking massive difference. Practically speaking, it’s a far, far bigger change than 8 years down to 1.
This isn’t just an “ongoing trend” at this point, it would be a fundamental change to the way that certificates are managed i.e. making it impossible to handle renewals manually for any decently sized business.
They never said the ongoing trend wasn't logarithmic. By 2030 you'll be updating certs 6-8 times a day! Please drink verification can.
Thank you for the smug response however I did indeed read the article and going from 13 months to 10 days is not a trend but a complete rearchitecture of how certificates are managed.
You have no idea how many orgs have to do this manually as their systems won’t enable it to be automated. Following a KBA once a year is fine for most (yet they still forget and websites break for a few days; this literally happened to NVD of all things a few weeks ago).
This change is a 36x increase in effort with no consideration for those who can’t renew and apply certs programmatically / through automation.
Don't worry. All that old gear is at least 45 days old - so old - and isn't an apple product anyway probably. Ergo, support isn't their issue and you will have to take that up with your OEM because la-la-la-laaaaa, can't hear you. Wanna go ride bikes?
Then do explain your conspiracy theory. Sectigo could go for a money grab, otherwise... probably just forcing automation without thinking of impact, as usual.