Re: Expired certificate

[Marsh Ray <marsh () extendedsubset com>]

On 07/22/2010 08:05 PM, Dan Kaminsky wrote:
> That's $240K/yr being spent to manage three year expirations, just on
> labor.

Yep.

But as Dr. Laura would say, "you knew that before you married her".

Nobody said you had to go into that business, or that you were entitled 
to make a profit on it.

> And, of course, you see the result of this:  People don't go ahead
> and put 500 different certs on 500 different machines.  Instead, you
> end up with an Internet having but a million SSL endpoints, only half
> of which even pretend to have a validating certificate.
>
> Costs can hide.  Consequences are another matter.

I don't see that 8 hours every 2 days should quite come to $1/4M per 
year, and I suspect a competent organization could roll out routine cert 
changes in under 8 hours on average. But let's suppose it does.

What might be the unintended consequences be of having 500 "secure" 
sites hosted by folks that can't manage to spend one day every three 
freakin' years on maintenance?

I know, it probably doesn't add that way logically, but just sayin'.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/