What happened to personal freedom of letting people choose for themselves how long a certificate should last? Not really liking this trend of large companies making decisions for others and then forcing them on everyone.
I'm not sure how you think certificates work? It's not for 'yourself' - the certificate is an assertion to billions of users worldwide, called relying parties. If you don't care about those, then you can use a private CA. If you do care (and want anyone's browser to work) then it's not a 'personal freedom'.
A lot of CAs are non-american. Also not sure how encrypted HTTP and DNS allows google to snoop on your traffic? If you don't trust google then don't use their eDNS service?
Also in this case, "safety" can be defined as protecting American companies from lawsuits while ensuring they continue to make lots of money from extorting SSL certificate sales.
>while ensuring they continue to make lots of money from extorting SSL certificate sales.
Which IaaS/PaaS providers are doing this? Most of the popular ones I know (ie. not some shady shared hosting reseller using whmcs solutions) lets you upload whatever certificate you want, or has certificates for free/included in the monthly price. In other words they're not going to benefit from shorter lived certificates. In the worst case you can set up cloudflare "flexible SSL" in front of your site and get it for free.
I find it interesting that all of the arguments seem to be about the merits of whether pushing this on everyone is good or not, and they all take for granted that personal freedom does not matter anymore.
I dislike not being able to choose my SSL lifetime for the same reason I do not like a web browser deciding for me if I can use my own CA. In both cases choices are being made for me, whether I like them or not.
And making ourselves completely dependent on those certificate authorities handing out certs. Dystopian, a couple of mega corps deciding who gets a cert and who doesn't.
My site is http-only because I prefer to not be dependent on those certificate authorities handing out certs, because it's been that way for 25 years, because there is zero confidential data on it, and because the issues concerning snooping and ad insertion by intermediates is not a real threat to my limited readership.
However, there is the https-only movement to prevent web browsers from viewing my website, because it it not https and therefore not 'safe'.
This movement overlaps pretty well with the people who don't accept other different certificate authorities.
> However, there is the https-only movement to prevent web browsers from viewing my website, because it it not https and therefore not 'safe'.
Like i said, nothing is stopping you from doing whatever you want other than the fact that other people might not like it, and might choose to treat your website differently. Just like you can choose not to use https, other people can choose not to like sites that don't use https. Freedom goes both ways.
The point is that if the browsers make it hard enough to actually use HTTP sites then it doesn't really matter if the user is OK with that. Same with self-signed certificates or private CAs.
Certificates are particularly painful because it sometimes seems that every program that needs them has its own way to find them. I can't just install in one OS-wide store and say that it should work just like the certificates from the major certificate authorities.
No, I have to install it in Chrome and Firefox. Oh and I've got some Python scripts and some Perl scripts and some PHP scripts that need it, so I've got to put it where they want. And let's not forget curl and wget. And how about thing I'm running in a VM or under Docker? Or database clients.
I thought you were too dismissive with your use of "nothing is stopping you."
There is a big difference between "nothing is stopping you from starting an exercise program" and "nothing is stopping you from being the ruler of the planet" even though the construction is the same.
Sure, but we are talking about open source software you can fork and change however you like, the difficulty level is a bit in the middle. I'd put it more on the level of - if you dont like the food a resturant serves, nothing is stopping you from opening your own. Yes its hard, but certainly not impossible.
Nothing stopping you running your own CA and issuing your own certs.
Your actual problem is that the browser vendors (who decide which certs should live in the root store) have certain criteria which CAs need to meet in order to be trusted.
Why should Firefox / Chrome / etc. have to honour your desire that your arbitrary-length lifetime certs are trusted by default in their browsers? You still have the personal freedom of installing your own CA root if you like.
The networked environment of today is rapidly phasing-out anything not passing through big bulky systems (most of the time these are for-profit firms). While we wait for the moment one of them (like Let's Encrypt or Sectigo or some BS from FAANGs) will become a SPoF and mess up services anywhere, you can always roll a private CA, use SSH tunnels or SOCKS proxies.
The depends where you live, and what the government means. In some places the validity of a passport is written in a law, voted by the parliament; in other it's a operation decision by the government (e.g. the ministry of the internal affairs).
Where I live it's a law voted by the parliament.
Also TLS fingerprints and biometrical data are "hashed" data, if that's what you mean about having in common.
It's got nothing to do with what committee decides what the expiry is and how they then enforce it. The thing that certs and passports have in common is unrelated to whether the issuer is a governmental body or not.
They're both centrally revokable, attested assertions of identity, where the attestation can be validated with the attester offline.
If you try and come up with a design for any system that includes this type of assertion, you'll end up in a place where you'll probably want it to expire and need re-validation at some point. That expiry is a property of the attestation, and is therefore controlled by the person/group doing the attestation. In the case of a passport, this happens to be the government. For a cert, it's the CA.
Passport/ID document expiration dates are decided by law. Therefore it is in fact "the government." Do you think there should be a law limiting the lifetime duration of an SSL cert to 45 days?
The CAB forum is not a company (although it is made up of some) and the government does not set passport max validity lengths (they can make it shorter than 10 years, just like CAs can make certs shorter, but there is a reason no country gives out passports longer than 10 years)
