Hacker News new | ask | show | jobs
by tialaramex 1251 days ago
> why the bank cannot buy a 10 year certificate it's a mystery to me, I sure hope they'll still be in business in 10 years time from now, at least they should be able to not think about this minutia so often.

There's no more reason they should "think" about this than, say, testing fire extinguishers, it's just routine maintenance, it is presumably somebody's job to ensure all the routine maintenance gets done. If you're holding a meeting about the certificates on the web site, rather than knowing that's maintained and monitored properly as part of normal operations, you screwed up.

Now, why does it need maintaining? Why not have them issued for 10 years (so, longer than many employees will work for the bank) ? Well the lifetime of a certificate in the Web PKI is in practice the best possible agility we can achieve for the entire Web PKI, so the longer the maximum lifetime, the slower we're able to fix any problems.

If the bank's new certificate today is valid for 10 years that means if we sunset things which are a terrible idea tomorrow they are still polluting the ecosystem until at least January 2033. A new browser, written by a team who are all in primary school today, might ship in 2033 and yet it's expected to put up with every weird thing we're still allowing, even if it's known to have been a bad idea for about a decade by then.

Currently the rule is 398 days, so if we outlaw something tomorrow, it's no longer a problem by the end of February 2024. More realistically, if we argue about it for a few weeks, and then agree to ban it from May 2023, it's no longer a problem by the second half of 2024.
1 comments
peoplefromibiza 1251 days ago
> fire extinguishers

fire extinguishers are for emergencies!

if a fire extinguisher doesn't work, people can die

if an HTTPS cert has expired, there is no risk involved, it can still be used only o. the domain it was issued for.

Anyway in.my country you have to check them every 3 years and someone comes to you, you don't have to remember about it.

> If the bank's new certificate today is valid for 10 year

nothing prevents reissuing new certificates before expiration, if necessary.

link
tialaramex 1249 days ago
> nothing prevents reissuing new certificates before expiration, if necessary.

So you want a product advertised with a 10 year lifespan, but sometimes it fails much earlier? I guess I have great news, you can use the existing product this way, although everybody you work with may find you exasperatingly incompetent.

link