[Info-vax] Certificates

Mon Jul 24 18:49:04 EDT 2023

On Monday, July 24, 2023 at 4:25:07 PM UTC-4, Stephen Hoffman wrote:
> I'm not sure I see the issue for OpenVMS, as its certificate 
> implementation and integrated certificate usage is approximately zilch. 
> 
> Everybody's using their own, built atop OpenSSL. 

This was in response to a WIBNI for everything to be rewritten to use
https:// as the sole protocol. I believe the particular usage case that
it sprang from was LAT terminal sessions, but I might be mis-remem-
bering.

> As for shorter lifetimes, Google announced they were working on 13 
> months back in 2019: 
> 
> https://venafi.com/blog/jury-out-whether-reducing-certificate-lifetimes-would-improve-security/0 
> 
> I'd wager the browser vendors were encountering more certificate 
> issuance shenanigans than we will probably reasonably ever know about, 
> too. And we know about some. 

It would be nice if browser vendors showed some backbone and re-
fused to go along with this. In that absence, it is left to the users to
yell "Hell no, we won't go!". We see a lot of that with IPv6 and there
is a fair amount of it behind-the-scenes which isn't visible to people
on the outside. For example, I have 1000+ certificates signed by my
company's bogo-root CA and that root CA installed in more browsers
than I can count. There's also usually a "Firefox (Old SSL)" desktop 
icon on client PCs which launches Firefox 17.0.1 in a dedicated VM
to talk to devices that only use deprecated protocols.

> Discussions and actually-shorter lifetimes go back to 2015, and earlier: 
> 
> https://letsencrypt.org/2015/11/09/why-90-days.html 

That's fine for systems that have automated renewal (Certbot or
similar). But it utterly falls flat on its face in embedded devices and
systems that can't run Certbot. APC management cards have their
own screwball certificate format, as do Cisco routers / switches.
You can push new configs to (possibly hundreds of) Cisco devices
on your corporate network every 90 days, but you had better be
very sure that this doesn't cause other breakage (it usually does, in
my experience). Plus, you still need to "cook" certificates into the
screwball Cisco format so it can't really be completely automated.

If the rest of the certificate vendors get forced into issuing only
90-day certificates, there is absolutely no reason for most cus-
tomers to pay for certificates if they can get one for free. One ben-
efit of a paid-for certificate is that you could get an EV (Extended
Validation) certificate which used to highlight the whole address
in green to show that a site (supposedly) had Really Good Security.
Then browsers changed to just showing the padlock icon in green,
and recently started not indicating an EV certificate at all because
it "confuses users".

Another problem with short-lifetime certificates is when there are
SANs for multiple domains with multiple administrative contacts.
It was bad enough trying to herd cats for issuance approval when
certificates lasted for 3 years. One year was impractical and 90 
days just flat-out won't work.