Hacker News new | ask | show | jobs
by Nimi 3759 days ago
Moving away from obsolete crap isn't the solution, it's the definition of the problem.

One could argue that the CA/Browser forum has achieved some success with moving away from SHA-1. As a spectator, I don't understand why this process is not repeated for similar obsolete primitives or standards.
1 comments
Gibbon1 3759 days ago
I read an blog post by a guy with a long experience with this. What happens is large players demand that there be a 'reasonable' deadline for compliance. And then half the companies involved sit on their hands for two and a half years and then demand an extension. And then another and next thing you know you're still using RSA fifteen years after people knew they needed to stop using it.

Only solution I can think of is to create some sort of license where once the sunset deadline is established, the license to use it expires hard on the deadline.

link
Nimi 3759 days ago
That's very interesting, do you happen to have a link for the blog post?
link
Natanael_L 3759 days ago
Probably this https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc...
link
Gibbon1 3759 days ago
Thanks that would be the one. I get this feeling that encryption protocols and standards often end up and all sorts of dank corners of the web infrastructure and finding and updating all of these is really messy task. And I suspect service providers and their customers haven't been really good at keeping track of everything.
link
Nimi 3759 days ago
Fascinating. I still feel I'm missing something basic here: If Microsoft, Google and Mozilla announce they're not going to accept any particular crypto primitive two years from now, and this time there won't be any exceptions, CAs and websites just have to abide, don't they?
link
nl 3758 days ago
The browsers say what they accept, the server says what it provides and something in the intersecting set will be used.

If (as a random example that didn't annoy me at all for 2 years) a website also needs to support SmartTV devices which only accept obsolete certificates then your server has to either break them or not.

link
Natanael_L 3759 days ago
Then a bunch of big companies announce they'll use another browser to be able to keep using it
link