Short lived certificates cannot solve the “un-aware victim” problem – 3

| Posted by , under Uncategorized

We continue to exchange ideas, information and photos… And here is my latest response to the latest response

First of all, the author is unaware that my company has built the most sophisticated Certificate Management system that can automatically request, issue, renew and manage the whole lifecycle of the certificate. Many Fortune 500 companies rely on this amazing technology to manage their PKI infrastructure. So it is with that expertise and insight I must insist that the author does not appreciate the nuance between “high frequency” renewal vs “low frequency” renewals. Short lived certs will require “high frequency” renewal system. To an IT admin this is a scary prospect! They tell us that! Let me explain further… Business continuity is a must for any enterprise. There has to be plans put in place for “what ifs”. Today in a “low frequency” PKI management, there is enough time if “what if” were to occur, to resolve it practically (if the renewal system fails, there is enough time to remedy it without causing outage and business continuity is adjusted for this time frame). If we reduce the time to lets say a “day” (I know this is a sore point with the Author, but this is my view of what is an acceptable security risk. I don’t want to be exposed to malicious acts for more than a day, thank you! ) this will eliminate any contingency time for business continuity.

So to summarize, I believe in automation (we make money from automation!), but trying to increase frequency will cause all sorts of practical issues. Yes I do believe and like driving a car, but not at 300 miles an hour! Dynamics of driving a car at 300 miles an hour is very different than driving it at 30 miles an hour! I believe it will take us more than 10 years to change the computing ecosystem to even drive 100 miles an hour in certificate automation! (for disclosure: I would have a huge gain financially for increasing automation)

 

 

 

 

 

 

 

 

 

Although the above is how I started this blog, but main reason to respond to author’s latest post is the following statement

“increased rate of technological adoption it would take close to ten years given the state of things for such a solution to be fully deployed if we started right now”

This above statement is what got me to say:

 

 

 

 

 

 

 

 

 

I must respectfully disagree with the author. I believe there can be a scalable revocation infrastructure that can serve status for all certs from all CAs that is backward compatible with existing issued certificates that can be called from a browser. As I said before I do believe in the ingenuity of our scientist and engineers to bring us this solution……soon….

And I again wholeheartedly agree with this statement from the author

“Defining an OCSP transport based on DNS that would reduce dependency on CA infrastructure reliability,”

Lets call it DCSP 😉

Melih