On Tue, Mar 02, 2021 at 07:00:35PM -0800, Michael Thomas wrote: > NRE vs constant help desk. [...] I can't parse "NRE". > Where are all of these use cases that need offline verification? I asked > somebody else and didn't get an answer. Admins *really* like to be able to get into their servers when bad things happen on their networks and necessary infrastructure is down. SSH generally gives you that. > All of this tells me that there is a witching hour with certs that hasn't > been broken in almost 40 years. Short-lived certs == no one ever forgets to automate the fetching of new ones. When you have two-year certs you need CRLs and OCSP and you always forget to renew. When you have five-day certs you cannot forget to renew more than twice because you won't like the constant outages, so you'll automate. Heck, you could dial that down to eight-hour certs. After all, with JWT we use JWKs that last only a few hours, so you *really* have to fetch them on a schedule. Nico --
