Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I tend to treat service TLS certificates more like shared keys than PKI. Too many pieces of software don't handle revocation, it's easier to regenerate the CA and the entire set of certificates when you change your setup.


If you control all the clients/browsers (i.e. you can immediately modify the required trust stores), you don't have any use for PKI whatsoever.

PKI's use case begins with shipping a trust store into the wild, where it will run unchanged for months or years.


The better solution is to do what vault does. Use only ephemeral certificates for servers and clients. It wouldn't be too hard to change them every week or so using the ACME protocol.


ACME has a revocation workflow. Having my lost certificates be valid for a week is still unacceptable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: