Re: Expired certificate

[Dan Kaminsky <dan () doxpara com>]

> Operationally, it just shouldn't be that big a deal to schedule a
> maintenance every few years. Like expiring domain registrations, the hardest
> part is simply to not lose track of it. The Accounting dept in an
> organization can sometimes help to not forget that stuff.
Shouldn't?  That's a nice word.

What does the data say?

Suppose I have five hundred web servers with five hundred expiration dates,
strewn out roughly uniformly over a three year period.  That means, I have
about one expiration every two days.

Now, to run a change:

1) A purchase must be made, of the thing to be changed
2) A meeting must be scheduled, to organize the change (especially if, as
you suggest, an external organization tracks these things)
3) An administrator must be tapped to implement the change in non-peak time
4) The change must happen
5) The change must be tested and validated
6) The new expiration time must be confirmed for tracking purposes

Lets say this is 8 man hours.  That means this is 4,000 man hours of work.
Assume the employee doing this work has an average cost to the company of
$60/hr (remember, you need to roughly double the cost of a full time
employee, after you factor in benefits, payroll taxes, etc).

That's $240K/yr being spent to manage three year expirations, just on labor.

And, of course, you see the result of this:  People don't go ahead and put
500 different certs on 500 different machines.  Instead, you end up with an
Internet having but a million SSL endpoints, only half of which even pretend
to have a validating certificate.

Costs can hide.  Consequences are another matter.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/