Re: Expired certificate

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Sun, 25 Jul 2010, Dan Kaminsky wrote:

> > So... no one is doing revocation checking and expiration is evil.
> > How are we supposed to get rid of invalid certificates?
>
> Ask me that in a few days ;)

Has one week been enough for you? :)

> So nobody will sell you a name constrained certificate.  It's almost
> like there are serious implementation issues with the extension in the
> field.

Obviously not serious enough to prevent their use by US Federal Bridge CA.
See <http://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf>

> Absolutely correct.  Whatever world X.509 is great for, it sure ain't
> this one.

Governments and big companies *are* hierarchical and bureacratic and X.509
was developed for them.

> Patch management involves the same thing being put on different hosts,
> and there's really no choice -- you can't run an infrastructure without
> maintaining it, on some timescale anyway.

Can't you? The world is full of unpatched systems. You can even find
systems where patches are not installed because it is running a piece of
mission critical software and they would lose support if they installed
any patches (I am not making this up).

> Certificate management involves different things being put on different
> hosts, [...]

This is a red herring. When you have got a bag of certificates, it is
trivial to pick the right certificate for every host and check it
automatically both before and after deployment. And everything else but
the bits (place where the cert is installed, services that need to be
restarted etc.) can stay identical.

> [...] and there's totally a choice -- you can simply not have a
> certificate at all.

Yes. And you can teach your users to check all server public keys
manually. You can also make a choice to send everything in cleartext and
set all passwords to "123456" because it will make your life much easier.

> To paraphrase another quote, "X.509 never fails, only X.509 deployers."

I do not say X.509 never fails, I question 

> You know, it's strange.  I never hear stories about networks being taken
> down for nonpayment of electric bills, but we have straight up UI
> support for certificate errors.  Why do you think that is?

There are various cases of epic fails related to electric bills but I
admit I have not found a clear example affecting IT infrastructure 
directly.

Replace interrupted power supply with expired domain registration and
you'll be able to find dozens of incidents, all of them affecting IT for
obvious reasons--and some of them involving big names like Microsoft and
Google.

-- 
Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/