Comment by midtake
1 day ago
Why 6 day and not 8?
- 8 is a lucky number and a power of 2
- 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout
- 6 is the value of every digit in the number of the beast
- I just don't like 6!
> 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout
There’s your answer.
6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.
8 days would result in things getting hammered on specific days of the week.
> 6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.
people will put */5 in cron and result will be same, because that's obvious, easy and nice number.
If they put */5 in cron, a single error response will break their site and the beginning of March will also break their site.
3 replies →
I'd have it renew Monday and Thursday to avoid weekend outages.
If I would use short-lived certs I would make sure to choose an ACME client that has support for ARI (ACME Renewal Information). Then the CA will tell the client when it’s time to renew.
ACME doesn't renew certificates when there's enough time, so it'll always renew around 6 days, even if you check more aggressively.
Currently ACME sets its cron job to 12 days on 90 day certificates.
1 reply →
I thought people generally run it daily? It’s a no-op if it doesn’t need renewal.
so now people that want humans around will now renew twice in a week instead of once?
Oh definitely not. They don't want humans doing any renewals.
Worry not, cause it's not 6 days (144 hours), it is 6-ish days: 160 hours
And 160 is the sum of the first 11 primes, as well as the sum of the cubes of the first three primes!
Mr Ramanujan, I presume?
I was hoping Wolfram|Alpha would spit out the above, but on just entering 160 [1], we get
> A regular 160-gon is constructible with straightedge and compass.
> 160 has a representation as a sum of 2 squares: 160 = 4^2 + 12^2
> 160 is an even number.
> 160 has the representation 160 = 2^7 + 32.
> 160 divides 31^2 - 1.
> 160 = aa_15 repeats a single digit in base 15.
[1] https://www.wolframalpha.com/input?i=160
Every K-Paxian knows this.
Because it allows to you to work for six days, and rest on the seventh. Like God did.
² By the seventh day God had finished the work He had been doing; so on the seventh day He rested from all His work. ³ Then the on-call tech, Lucifer, the Son of Dawn, was awoken at midnight because God did not renew the heavens' and the earths' HTTPS certificate. ⁴ Thusly Lucifer drafted his resignation in a great fury.
I just got home from a stressful day in retail (oh who am I kidding; every day is stress in retail) and this gave me a chuckle I really needed. Thank you.
Is this the TLS version of the Bible?
2 replies →
Gilfoyle?
This made my day :D
I don't think He worked after the 6th day. Went on doing other pet projects
6 days to write a prompt. One day to unleash the agents in yolo mode
Not my god. My god meant to go into work but got wasted and eventually passed out in the bathtub, fully clothed and holding a bowl of riceroni.
Didn't the Garden of Eden have a pretty massive vulnerability where eating one apple would give you access to all data on good and evil?
Standard memory disclosure: the apple when eaten would be freed, but it would still be read, leaking its contents. Luckily its volume was low, so they couldn't exfiltrate all of it. But still, the heavens are closed for maintenance, pending a rewrite in Rust.
It's actually 6 and 2/3rds! I'm trying to figure out a rationale for 160 hours and similarly coming up empty, if anyone knows I'd be interested.
200 would be a nice round number that gets you to 8 1/3 days, so it comes with the benefits of weekly rotation.
I chose 160 hours.
The CA/B Forum defines a "short-lived" certificate as 7 days, which has some reduced requirements on revocation that we want. That time, in turn, was chosen based on previous requirements on OCSP responses.
We chose a value that's under the maximum, which we do in general, to make sure we have some wiggle room. https://bugzilla.mozilla.org/show_bug.cgi?id=1715455 is one example of why.
Those are based on a rough idea that responding to any incident (outage, etc) might take a day or two, so (assuming renewal of certificate or OCSP response midway through lifetime) you need at least 2 days for incident response + another day to resign everything, so your lifetime needs to be at least 6 days, and then the requirement is rounded up to another day (to allow the wiggle, as previously mentioned).
Plus, in general, we don't want to align to things like days or weeks or months, or else you can get "resonant frequency" type problems.
We've always struggled with people doing things like renewing on a cronjob at midnight on the 1st monday of the month, which leads to huge traffic surges. I spend more time than I'd like convincing people to update their cronjobs to run at a randomized time.
I have always been a bit puzzled by this. By issuing fixed length certificates you practically guarantee oscillation. If you have a massive traffic spike from, say, a CDN mass reissuing after a data breach - you are guaranteed to have the same spike [160 - $renewal_buffer] hours later.
Fuzzing the lifetime of certificates would smooth out traffic, encourage no hardcoded values, and most importantly statistical analysis from CT logs could add confidence that these validity windows are not carefully selected to further a cryptographic or practical attack.
A https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number if you will.
2 replies →
It's less than 7 exactly so you cannot set it on a weekly rotation
biweekly rotation?
2 replies →
Six is the smallest perfect number. Perfection is key here.
Why not refresh daily?
The are some great points