On 3/2/21 7:35 PM, Nico Williams wrote:
On Tue, Mar 02, 2021 at 07:00:35PM -0800, Michael Thomas wrote:
NRE vs constant help desk. [...]
I can't parse "NRE".
Non-recurring engineering, ie upfront cost.
Short-lived certs == no one ever forgets to automate the fetching of new
ones.
When you have two-year certs you need CRLs and OCSP and you always
forget to renew.
When you have five-day certs you cannot forget to renew more than twice
because you won't like the constant outages, so you'll automate.
Heck, you could dial that down to eight-hour certs. After all, with JWT
we use JWKs that last only a few hours, so you *really* have to fetch
them on a schedule.
Or you just expect online and not worry about any of this.
I'm not even sure why you'd want to use certs in your use case. You're
just reinventing Kerberos.
Mike
