On 06/18/2016 02:49 PM, James B. Byrne wrote:
On Fri, June 17, 2016 21:40, Gordon Messmer wrote:
https://letsencrypt.org/2015/11/09/why-90-days.html
With respect citing another person's or people's opinion in support of
your own is not evidence in the sense I understand the word to mean.
I'm not interested in turning this in to a discussion on epistemology.
This is based on the experience (the evidence) of some of the world's
foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).
The assertion expressed in the link given above that 90-day
certificate lives will serve to increase certificate renewal
automation is at best a pious hope.
You are ignoring the fact that the tool used to acquire letsencrypt
certificates automates the entire process. They're not merely hoping
that users will automate the process, they're automating it on behalf of
users. They've done everything but schedule it for their users.
One that is unlikely to be
realised in my opinion for the simple reason that automated and
therefore mostly unobserved security systems are a primary target for
tampering.
For someone who wants "evidence" you make a lot of unsupported
assertions. You do see the irony, don't you?
Likewise the authors' opinion that pki certificates are in
general just casually left laying around to be compromised displays a
certain level of what reasonably could be considered elitist contempt
for the average human's intelligence.
Or, you know, a review of actual security problems in the real world.
Even as arguments I find these two positions are less than compelling.
And in no respect could either opinion be considered evidence.
That's fine. I don't really need to convince you, personally, of
anything. But for the security of the internet community in general,
I'll continue to advocate for secure practices, including pervasive
security (which means reducing barriers to the use of encryption at all
points along the process of setup).
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos