Ryan Dickson

Thank you @PrincetonCITP for introducing this work to the CA/Browser Forum at F2F Meeting 57!

@mholt6 Duration…and I heard that 864,000 seconds (or less) is a great default value. 😃 cabforum.org/2023/07/14/bal…

When specifying a certificate lifetime (in code), would you rather specify a duration (from time of issuance) or a specific NotAfter date?

@__apf__ She’s just trying to get buzzed in! Looks like a honeybee, who will be responsible for producing 1/12 of a teaspoon of honey in her ~45 day lifetime! Un-bee-lievable!

a bee keeps ringing my doorbell. what do you think she wants from me

@rmhrisk Ran it against Let’s Encrypt, SSL.com, ZeroSSL, BuyPass, and Google Trust Services moments after getting his email! Thank you Andrew, indeed!

I've long argued that root programs should mandate the adoption of ACME, allowing them, and ideally, the public, to assess the conformity of public CAs using standard tools. These entities serve the web, yet much of their operations remain opaque, and we know there be dragons. We can, and should, strive for more transparency in the operations of public CAs.

It looks like @__agwa has given the WebPKI another gift. His new tool dcv-inspector.com allows you to easily inspect the DNS, HTTP, and SMTP requests made by a certificate authority during domain validation. This is significant not only because we know some CAs fail to implement existing required practices, but it also provides insights into the efforts of some CAs to protect against BGP-based attacks on certificate issuance. Here's an example response showing what the service detects in a Let's Encrypt enrollment: dcv-inspector.com/test/46e4bd9d8…. #TheWebThanksYouAgwa

Chrome gets it, ACME and automation is the key to unlocking reliable, at-scale certificate usage. #WebPKI blog.chromium.org/2023/10/unlock…

@dadrian But *this* time will be different!

HOW TO CONFIGURE A PKI 1. Don't.

Do you use ACME in a enterprise or large scale service and would be willing to be quoted on a site focused on increasing ACME adoption about your experience? If so please DM me and I’ll share more context.

@mholt6 This is my fourth year. It’ll be a lifelong hobby.

@ryancdickson Ohhh I've always thought this would be a fun hobby!! How long have you been beekeeping?

It’s been an un-bee-lievable year for beekeeping. So far, I’ve pulled almost 300 pounds (about 25 gallons) of honey from two hives - and there’s still a few weeks left in the season!

@mholt6 @Crypt32 @rmhrisk @webprofusion Stapling is great, but it’s barely used. We describe our observations re: stapling in the background doc linked via the Pull Request I shared earlier. Link: docs.google.com/document/d/180…

@Crypt32 @ryancdickson @rmhrisk @webprofusion Yes, stapling solves all those issues, and improves performance and reduces costs. Stapling is great.

Google Trust Services has announced their support of ARI! ARI enables notification that your cert will be revoked before it happens so you renew before it impacts you. With client support this means GTS customers have one less risk to worry about. security.googleblog.com/2023/05/google…

@rmhrisk @mholt6 @webprofusion Within the CA/B Forum, it feels like we’re getting close to voting on the proposed SC-63, which intends to make OCSP optional (enhancing user privacy), and incentivizes automation and short-lived certificates. More here: github.com/cabforum/serve…

@mholt6 @ryancdickson @webprofusion If we only knew a Ryan who could make that happen ;)

@mjg59 We have a general FAQ located here (chromium.googlesource.com/chromium/src/+…), and generally describe the Windows certificate stores we pull from here (source.chromium.org/chromium/chrom…). If you can share more specifics about the issues you faced, I’d be happy to see how we can improve the FAQ.

@ryancdickson Is the interaction between Chrome and the Windows certificate providers documented anywhere? Just spent a bunch of time figuring out that apparently Chrome only uses the current user store, not the machine-wide one

@mholt6 @rmhrisk @mholt6 - can you share your specific concerns/suggested areas of improvement re: ARI?

@rmhrisk (To clarify, I'm sure the GTS implementation is great. I mean the idea of ARI in general.)

@seakoz @elonmusk Don’t forget to practice “defense-in-depth” by also storing the hashes and notAfter dates in a poorly named spreadsheet owned by the Admin who was replaced “5 admins ago.” 🤓

It’s time to automate certificate management @elonmusk!

Caused by expired ground station cert. We’re scrubbing the system for other single-point vulnerabilities.

@jozefizso Not everyone supports automation to the extent that “short-lived” certificates can be the norm. However, we’re trying to incentivize their use within the CA/Browser Forum (github.com/cabforum/serve…).

@ryancdickson Why 90 days when it’s automated? 30 days? 14 days? 48 hours?

Let’s move the web PKI forward - together. chromium.org/Home/chromium-…

@awakecoding @BoreanJordan And, FWIW, many CAs agree that certificate lifetime should be shortened. Example: sectigo.com/resource-libra…

@awakecoding @BoreanJordan Root programs (like Chrome’s) define expectations and minimum requirements for initial and continued inclusion of a certificate in the corresponding root store (e.g., chromium.org/Home/chromium-…). Those requirements are defined at the program operator’s sole discretion.

@awakecoding @BoreanJordan Personal opinion: we must prioritize security over profitability. Every time.

@BoreanJordan @ryancdickson Agreed, but I suspect these trusted CAs will smell the existential threat and lobby against lowering the maximum WebPKI server certificate validity time to 90 days, as it will effectively put a lot of them out of business, as they'll struggle to bring value to their customers