On Sat, June 18, 2016 18:39, Gordon Messmer wrote:> On 06/18/2016 02:49 PM, James B. Byrne wrote:
>> On Fri, June 17, 2016 21:40, Gordon Messmer wrote:
>>> https://letsencrypt.org/2015/11/09/why-90-days.html
>> With respect citing another person's or people's opinion in
support
>> of
>> your own is not evidence in the sense I understand the word to mean.
>
> I'm not interested in turning this in to a discussion on epistemology.
> This is based on the experience (the evidence) of some of the world's
> foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).
Really? Then why did you forward your reply a private message to a
public mailing list if not to do exactly what you claim you wish to
avoid?
>
>> The assertion expressed in the link given above that 90-day
>> certificate lives will serve to increase certificate renewal
>> automation is at best a pious hope.
>
> You are ignoring the fact that the tool used to acquire letsencrypt
> certificates automates the entire process. They're not merely hoping
> that users will automate the process, they're automating it on behalf
> of users. They've done everything but schedule it for their users.
>
>> One that is unlikely to be
>> realised in my opinion for the simple reason that automated and
>> therefore mostly unobserved security systems are a primary target
>> for tampering.
>
> For someone who wants "evidence" you make a lot of unsupported
> assertions. You do see the irony, don't you?
The difference is that I state this is my opinion and I do not claim
it as a fact. Your statement claimed a factual basis. I was
naturally curious to see what evidence supported your claim.
>
>> Likewise the authors' opinion that pki certificates are in
>> general just casually left laying around to be compromised displays
>> a
>> certain level of what reasonably could be considered elitist
>> contempt
>> for the average human's intelligence.
>
> Or, you know, a review of actual security problems in the real world.
>
>> Even as arguments I find these two positions are less than
>> compelling.
>> And in no respect could either opinion be considered evidence.
>
> That's fine. I don't really need to convince you, personally, of
> anything. But for the security of the internet community in general,
> I'll continue to advocate for secure practices, including pervasive
> security (which means reducing barriers to the use of encryption at
> all points along the process of setup).
>
>
I know, and we put infants on no-fly lists for essentially the same
religious beliefs. The benefit of so-called general security for the
rest of us who do not have to bear its individual specific cost. The
is no evidence that this sort of stuff works. It is just done so that
if anything bad happens the authorities can claim that they did
something preventative which they can point to. Regardless of how
ineffectual it was.
Automated security is BS. It has always been BS and it always will be
BS. That is my OPINION. It may not be a fact for I lack empirical
evidence to support it. However, it has long been my observation that
when people place excessive trust in automation they are are
eventually and inevitably betrayed by it. Often at enormous cost.
Let me give you an example of stupidity in action with respect to
signed certificates. I have a MacBookPro c. early 2009. There have
been five or six major releases of OSX since then. Being a cautious
type I download the upgrade installer apps and archive them before
installing and upgrading.
Over this past weekend my MB stopped booting. It would get to the
Apple symbol and go black. Much trial, error, and research later I
discover that this is sometimes occurs when a MB has been repeatedly
upgraded and that a clean install is the recommended cure. Oh,
by-the-way, if you ever have to do this then do not use the Apple
Migration Assistant app when you are done. You will be sorry.
So, I get out my archived Installer app, go to install it and BANG! My
MB proclaims that "Somebody has tampered with the application or it is
corrupted!". OH NO!
This impediment however is strictly an artefact of signing code with
short term certificates. I simply had to reset the date on my MB back
to some future date when the certificate was valid and everything
worked fine. Of course this took me a great deal of frustrating
effort to discover what had happened to all of my archived copies and
how to fix it. In the middle of a system recovery I might add.
But hey, what is my time worth in comparison to the security those
certificates provided? SECURITY that was trivially evaded in the end.
Exactly what mindless person or committee of bike-shedders decided
that software should be distributed so that copies of it expire? What
security issue was addressed by this decision? What benefit to the
public was achieved?
When real people suffer real inconvenience and real loss of productive
effort because of mindless adhesion to bromide based cures that are
blandly offered for ills that mostly exist in the imagination of the
ignorant then yes; I require evidence of their efficacy. And lining
up a bunch of band-wagon pundits chanting the same vacuous refrains is
not evidence.
And this one is going to the list.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3