Klaus Frank<p>Oh the <a href="https://chaos.social/tags/cabforum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cabforum</span></a> also wants to sunset "certificate issuance for .arpa domains".<br>At least one person following here uses an .arpa domain for their mastodon instance, so you probably want to checkout <a href="https://github.com/cabforum/servercert/pull/573" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cabforum/servercert</span><span class="invisible">/pull/573</span></a><br>I guess.</p>
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
8.8Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.2
#CABForum
0 posts · 0 participants · 0 posts today
Cassander<p>Specific schedule:</p><p>March 15, 2026 - Cert validity (and Domain Control Validation) limited to <strong>200 days</strong>.<br>March 15, 2027 - Cert validity (and Domain Control Validation) limited to <strong>100 days</strong>.<br>March 15, 2029 - Cert validity limited to <strong>47 days</strong> and Domain Control Validation limited to <strong>10 days</strong>.</p><p>There's gonna be a lot of complaints about this in change control meetings over the next <del>year</del>200 days.</p><p><a href="https://infosec.exchange/tags/Certificate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificate</span></a> <a href="https://infosec.exchange/tags/Certificate_Management" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificate_Management</span></a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABForum</span></a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PKI</span></a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebPKI</span></a> <a href="https://infosec.exchange/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> <a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a></p>
Cassander<p>Buckle up, kids. Automate your certificate rotations or die trying. WebPKI certificate validity period will be 47 days by 2029. <a href="https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/</span></a></p><p><a href="https://infosec.exchange/tags/Certificate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificate</span></a> <a href="https://infosec.exchange/tags/Certificate_Management" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificate_Management</span></a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABForum</span></a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PKI</span></a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebPKI</span></a> <a href="https://infosec.exchange/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> <a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a></p>
Outvi V | 夕霧綴理推し🐧<p><a href="https://mk.outv.im/tags/CABForum" rel="nofollow noopener" target="_blank">#CABForum</a> passed SC-081v3 to shorten public <a href="https://mk.outv.im/tags/TLS" rel="nofollow noopener" target="_blank">#TLS</a><span> cerficiate validity to a eventual 47 days, creating a market for new jobs like "certificate renew specialist" and "technican for certificate error ignoring".<br><br>This also brings light to a world of easier phishing cuz... you know, people don't get smarter in 1 or 2 days because some vote is passed.<br><br></span><a href="https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ" rel="nofollow noopener" target="_blank">https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ</a></p>
Pyrzout :vm:<p>Apple Enrages IT — 45-Day Cert Expiration Fury – Source: securityboulevard.com <a href="https://ciso2ciso.com/apple-enrages-it-45-day-cert-expiration-fury-source-securityboulevard-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/apple-enrages-it</span><span class="invisible">-45-day-cert-expiration-fury-source-securityboulevard-com/</span></a> <a href="https://social.skynetcloud.site/tags/SecurityChallengesandOpportunitiesofRemoteWork" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityChallengesandOpportunitiesofRemoteWork</span></a> <a href="https://social.skynetcloud.site/tags/DeepFakeandOtherSocialEngineeringTactics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DeepFakeandOtherSocialEngineeringTactics</span></a> <a href="https://social.skynetcloud.site/tags/CertificateandKeyLifecycleManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CertificateandKeyLifecycleManagement</span></a> #90-dayTLScertificatevalidity <a href="https://social.skynetcloud.site/tags/CertificateandKeyManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CertificateandKeyManagement</span></a> <a href="https://social.skynetcloud.site/tags/IdentityandAccessManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityandAccessManagement</span></a> <a href="https://social.skynetcloud.site/tags/SecurityBoulevard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBoulevard</span></a>(Original) <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/CertificateAutomation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CertificateAutomation</span></a> <a href="https://social.skynetcloud.site/tags/ApplicationSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ApplicationSecurity</span></a> <a href="https://social.skynetcloud.site/tags/CABForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABForum</span></a></p>
Jesse Harris<p>I see a lot of weeping, wailing, and gnashing of teeth over this proposal, but how do you think we get from "manually handle all of your certs in nightmare mode" to everything supporting ACME? You put a gun to the heads of the software vendors and equipment makers with a hard deadline. Not saying it won't suck for a while, especially with legacy systems, but that pain is decades of tech debt coming due. <a href="https://infosec.exchange/tags/cabforum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cabforum</span></a> <a href="https://infosec.exchange/tags/certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>certificates</span></a> <a href="https://github.com/cabforum/servercert/pull/553" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cabforum/servercert</span><span class="invisible">/pull/553</span></a></p>
adorfer<p>for those who refused to automate their TLS certificate deployment so far: prepare for increased workload: <br>"<br>- Overall reduction of non-SAN validation reuse from 825 to 366 days<br> - Overall reduction of SAN validation reuse from 398 days to 10 days<br>[..]<br>Overall reduction of maximum validity period from 398 days to 45 days<br> These reductions are proposed to occur starting in September 2025 through September 2027<br>"<br><a href="https://github.com/cabforum/servercert/pull/553" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cabforum/servercert</span><span class="invisible">/pull/553</span></a><br><a href="https://chaos.social/tags/tls" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tls</span></a> <a href="https://chaos.social/tags/cabforum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cabforum</span></a></p>
Erik van Straten(long) Wrong order: RPKI first - WebPKI never?
Erik van Straten<p>Uit het einde van <a href="https://security.nl/posting/854968" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/854968</span><span class="invisible"></span></a>:<br>«<br>Op internet wordt gebruikers DOELBEWUST de informatie onthouden waaruit zij, in nagenoeg alle gevallen, het verschil zouden kunnen zien tussen een filiaal van de Bijenkorf en een kofferbaksale uit een auto met gestolen kentekenplaten.<br>|<br>Het internet is ziek, doodziek - veroorzaakt door noobs, [...] en door Big Tech die meeverdient aan cybercriminaliteit.<br>»</p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/Browsers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browsers</span></a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABForum</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/NepVanEchtKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NepVanEchtKunnenOnderscheiden</span></a> <a href="https://infosec.exchange/tags/EchtVanNepKunnenOnderscheiden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EchtVanNepKunnenOnderscheiden</span></a> <br><a href="https://infosec.exchange/tags/NepVanEchtOnderscheiden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NepVanEchtOnderscheiden</span></a> <br><a href="https://infosec.exchange/tags/EchtVanNepOnderscheiden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EchtVanNepOnderscheiden</span></a> <br><a href="https://infosec.exchange/tags/NepVersusEcht" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NepVersusEcht</span></a> <a href="https://infosec.exchange/tags/EchtVersusNep" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EchtVersusNep</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://noc.social/@hlindqvist" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>hlindqvist</span></a></span> : exactly.</p><p>The Gl/C forum (*), which used to be called CA/B, was flawed from the start - because the *TARGET* group, internet users, had nothing to say.</p><p>(*) Google/Chrome - with a couple of voiceless other parties to simulate a democratic process.</p><p><a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABForum</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://gruene.social/@weddige" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>weddige</span></a></span> : sure!</p><p>If you go to the centre of a city and see a building that obviously is a bank, then you don't need a "certificate" to be reasonably sure that it's a bank. You don't even have to know the exact address (that one could write as "nr.street.city.country").</p><p>The building's geographical location and neighbourhood confirm the identity of what's written on the outside wall, because, in practice, the chance of it being fake is negligible.</p><p>OTOH, if you were on holiday in some poor country, and for some reason you end up in a not-so-nice area, and near a scrapyard there's a building that *looks* like a bank; would you trust it?</p><p>On the internet you often have no idea where a server is located and how trustworthy anyone with access to it is. The only thing you may know is its address (domain name) - without anyone reliably telling you who is currently "living at that address" (who is responsible for a webserver).</p><p>https server certificates USED to do that - more or less.</p><p>IMO the following things are needed:</p><p>1) Browser users must be able to determine whether information, uniquely identifying the *owner* of a website, is available to them (apart from the address, i.e. the domain name). I.e. what type (DV or better) of certificate is being used;</p><p>2) If better than DV, an indication of the *reliability* of the way in which the owner's identity was verified, must be shown. The overall reliability of a CSP (certificate service provider), as determined by the CAB-forum, may affect the reliability score of each certificate signed by that CSP (not as binary as it is/was, i.e. fully distrusting misbehaving CSP's);</p><p>3) Users must be educated, at least via functionality built into browsers, that trust depends on answers to the following questions:<br>a) How sure are you that a website owner is who they say they are (this info should be provided by the browser);<br>b) What is the reputation of the owner (this knowledge is also required in real life, but IMO makes cert issuance too complicated; external alternative certifications such as ISO 9001 and 27001 *may* help);<br>c) How trustworthy is the device and software that you use to browse;<br>d) What is *your* risk (financial or otherwise) if anything goes wong because of some transaction.</p><p>So I'm not saying that DV certificates should disappear, but that users should be able to distinguish between knowing just an address versus a website owner identity that was verified with high reliability, as well as a spectrum between those extremes.</p><p>W.r.t. the killing of EV-certificates (by Google) based on one incident ("Stripe, Inc") and the assumption that "nobody checks certificates": that incident was caused by the fact that the visible identifying EV information was not worldwide unique (not even between US states) - which is a design error.</p><p>Also, certificates contain way too much non-interesting information for end users (serial numbers, SAN's, public key etcetera). This must be fixed.</p><p>Furthermore, wildcard certs and certs with lots if seemingly unrelated SAN's (*) in them should have lower reliability scores. If anyway possible, shared hosting should also decrease the reliability score.</p><p>(*) Today I ran into one with 582 SAN's: <a href="https://crt.sh/?id=7293782180" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?id=7293782180</span><span class="invisible"></span></a> - part of them are IDN's containing "characters" such as 📞, 😽, 💙 etcetera. This cert seems to have been used by a domain name parker, but the one with 📞, appears to be live now (with a certificate only for itself) : <a href="https://www.virustotal.com/gui/domain/vdiarybook-com.xn--3t8h.to/summary" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/domain/vdia</span><span class="invisible">rybook-com.xn--3t8h.to/summary</span></a> (see "Siblings").</p><p>If end users are not provided with the minimum information required to reasonably assess their risks, or if most or all of them just don't (know how to) do that, then the internet is useless for medium to high-risk transactions. There will be too many victims of fraud (safety-nets are disappearing in NL) and too many company networks will get breached.</p><p><a href="https://infosec.exchange/tags/X" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>X</span></a>.509 <a href="https://infosec.exchange/tags/x509certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>x509certificates</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certificate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificate</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a> <a href="https://infosec.exchange/tags/CABforum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CABforum</span></a> <a href="https://infosec.exchange/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> <a href="https://infosec.exchange/tags/Browsers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browsers</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/Reliability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Reliability</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/CA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CA</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload