Comment by ocdtrekkie
12 hours ago
They wouldn't and that is part of the problem. We are stuck with a fragile and insecure certificate strategy because the existing strategy allows Google significant control of the ecosystem.
The "I support shorter lifetimes so this all comes crashing down" comment I made earlier is arguably a bit facetious, but I do think the PKI wonks in the CAB are pretty much accountable to noone until they break things badly enough that their bosses have to pay attention to the problem.
Antitrust enforcement remains the fix here.
What other mainstream browser are you counting on to ever support DANE?
I feel like this comment ignores the fact that right now all of them are effectively tied to Google, and that supporting DANE if Google doesn't is currently pointless, so obviously no one would until the status quo changes.
Ultimately the problem is that currently "security best practice" as it's commonly discussed, says what we're doing now is a good idea. It's not, and until we change the understanding on that, nobody's going to feel motivated to do better.
Password rotation used to be considered a gold standard strategy for security, until people realized not only did it make everything harder, it also encouraged people to choose less secure passwords and was largely self-defeating.
If I told you we could improve a 90-day password rotation policy by making it change every week, you'd rightly call me crazy, but for some inconceivable reason (monopoly, perverse incentives, appeal to an authority run by idiots, name your choice), people act like decreasing certificate lifetime is somehow going to make the web safer.
Decreasing certificate lifetime addresses a totally different problem than password rotation.
6 replies →