|
Doesn't fish shell kinda do that? I've been meaning to check it out but
|
# ? Mar 15, 2024 22:52 |
|
|
# ? Jun 8, 2024 11:05 |
|
Subjunctive posted:great time to get off VMware, just migrate everything tomorrow and get off their licensing disaster great time also to move to Oracle's VirtualBox if you want to do Vargskelethor-style destructions
|
# ? Mar 15, 2024 22:53 |
|
JAnon posted:great time also to move to Oracle's going to stop you right there
|
# ? Mar 15, 2024 23:02 |
|
never download the extension pack lol
|
# ? Mar 15, 2024 23:21 |
|
There's nothing wrong with qemu. For local VMs that is. For enterprise, yeah, you probably need some support around it. And that's just proxmox as far as I know.
|
# ? Mar 15, 2024 23:21 |
|
post hole digger posted:going to stop you right there "lol" - former oracle engineer for oke
|
# ? Mar 16, 2024 02:01 |
|
because oracle was a joke
|
# ? Mar 16, 2024 02:02 |
|
does oracle still maintain their linux
|
# ? Mar 16, 2024 03:09 |
|
yeah, OL with the unbreakable kernel is still a thing afaik. does this thread like spicy CAB forum chat or is that too in the weeds. either way, this seems...uh... https://bugzilla.mozilla.org/show_bug.cgi?id=1883843
|
# ? Mar 16, 2024 03:36 |
|
Winkle-Daddy posted:yeah, OL with the unbreakable kernel is still a thing afaik. quote:We have not stopped issuance and we are not planning to stop issuance or to revoke certificates issued, we do think that this miss alignment between baseline requirements and the EV guidelines was an unintended oversight of SC-62v2 as explained in the root cause analysis. Revoking these certificates would have unnecessary big impact to our customer and the WebPKI ecosystem overall.
|
# ? Mar 16, 2024 03:54 |
|
really looking forward to the “but dad, I don’t waaaaannaaaaaa” non-revocation incident too
|
# ? Mar 16, 2024 04:32 |
|
Subjunctive posted:really looking forward to the “but dad, I don’t waaaaannaaaaaa” non-revocation incident too it's so loving wild and terrifying to me that such a fundamental part of web trust is basically non profits and corporations in loose agreement to follow some BRs. this_is_fine.jpg e: this seems pretty flagrant. I've not seen any appetite for disciplinary action in years. kind of hope this changes that... Winkle-Daddy fucked around with this message at 04:49 on Mar 16, 2024 |
# ? Mar 16, 2024 04:43 |
|
yeah reading into it now and they have a separate issue where they had a couple of servers doing ocsp responses with sha-1 over 1.5 years after that had been sunset: https://bugzilla.mozilla.org/show_bug.cgi?id=1879602 they're also not responding to questions there on compliance self-assessments. that they're continuing to mis-issue certificates and push their own policy change forward ignoring that it isn't retroactive is comical. also imply they can't handle a full revocation and reissuance within 24h which uh..
|
# ? Mar 16, 2024 04:55 |
|
Winkle-Daddy posted:it's so loving wild and terrifying to me that such a fundamental part of web trust is basically non profits and corporations in loose agreement to follow some BRs. this_is_fine.jpg Entrust isn’t big enough to invoke MAD. they can say that they are revoking their root with 90 days public notice and let people migrate, without there being enough people to push back on it when I did CA/B forum and Mozilla root stuff (meaning that Kathleen Wilson did stuff and I paid her invoices and forced code changes) there was an implicit escalation path to some US and EU government agencies who were ready to take strong action, but we never had to invoke it (even for digitrust or whoever it was that did the Dutch govt stuff before I got to death sentence them). I assume it’s still available, though Entrust is a Canadian company so maybe slightly more complicated
|
# ? Mar 16, 2024 04:58 |
|
Wiggly Wayne DDS posted:also imply they can't handle a full revocation and reissuance within 24h which uh.. well, they imply that their customers can’t because they’re all doing manual management of certs, which is certainly plausible (and likely for EV since I don’t think there’s a way to automate issuance of them yet? loving EV, I should never have gone along with it)
|
# ? Mar 16, 2024 04:59 |
|
Subjunctive posted:well, they imply that their customers can’t because they’re all doing manual management of certs, which is certainly plausible (and likely for EV since I don’t think there’s a way to automate issuance of them yet? loving EV, I should never have gone along with it)
|
# ? Mar 16, 2024 05:03 |
|
Wiggly Wayne DDS posted:and yet they make a song and dance out of pushing for automation therefore they should be treated differently which also lol for all I know their ACME stuff for EV is cool and good, but they still hosed up issuance and the remedy for that is crystal clear. they’re also still issuing bad certs, making the problem increasingly worse for them and their customers. wish I could hear the support calls with “so you knew these certs were invalid and likely subject to revocation, but you took our money and issued them to us anyway?” also lol at 24,000 certs that were recently issued (meaning that someone at the customer knows how to install a new cert) being treated as some apocalyptic disaster if revoked. extremely rookie numbers, especially since those sites can trivially get a non-EV cert to replace it in about 8 seconds with ACME
|
# ? Mar 16, 2024 05:09 |
|
fuckin' lol that entrust guy on the mozilla bug is the vice chairperson of the CA/Browser forum https://cabforum.org/about/leadership/#current-cabrowser-forum-chair-and-vice-chair
|
# ? Mar 16, 2024 06:11 |
|
Subjunctive posted:well, they imply that their customers can’t because they’re all doing manual management of certs, which is certainly plausible (and likely for EV since I don’t think there’s a way to automate issuance of them yet? loving EV, I should never have gone along with it) there’s no yet, automating EV issuance is impossible by definition. EV CAs are required to verify things like whether a subscriber is an authorized representative of some entity like a corporation or a government. that’s not something you can write an rfc for and automate the way that you can for verifying control of a DNS name for DV.
|
# ? Mar 16, 2024 06:52 |
|
fun times but tmi
spankmeister fucked around with this message at 17:46 on Mar 17, 2024 |
# ? Mar 16, 2024 08:55 |
|
Late to password manager chat but we use secret server which is equal parts good and frustrating Better than a shared keepass file, at least
|
# ? Mar 16, 2024 10:04 |
|
shackleford posted:fuckin' lol that entrust guy on the mozilla bug is the vice chairperson of the CA/Browser forum ... I'm just gonna scream into my pillow for a few minutes. brb.
|
# ? Mar 16, 2024 14:55 |
|
i thought you knew that it was in the comment section
|
# ? Mar 16, 2024 14:57 |
|
alright, I'm either super dumb or super uncaffinated; either way i'm not fully sure what's so dumb about what's going on.
|
# ? Mar 16, 2024 15:25 |
Neito posted:alright, I'm either super dumb or super uncaffinated; either way i'm not fully sure what's so dumb about what's going on. I'm no expert on this, but the gist of it that I got was that Entrust:
|
|
# ? Mar 16, 2024 15:56 |
|
I know nothing about it and have no reason to professionally care but I still love reading about certificate drama
|
# ? Mar 16, 2024 16:04 |
|
Winkle-Daddy posted:it's so loving wild and terrifying to me that such a fundamental part of web trust is basically non profits and corporations in loose agreement to follow some BRs. this_is_fine.jpg
|
# ? Mar 16, 2024 16:33 |
|
Wiggly Wayne DDS posted:yeah we love this poo poo lol holy poo poo, when was the last time the cab just ripped a motherfucker out entirely?
|
# ? Mar 16, 2024 17:06 |
|
lol i just went window shopping for an EV SSL cert and you can buy these things for like $40/year now? i haven't touched an apache in like 15 (?) years but EV SSL certs are now cheaper than regular SSL certs in the bad old internet explorer days, even before factoring in inflation?quote:EV certificates are standard X.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. lol is this true? there is no standardized OID for EV certs? you have to grovel around in some PDF on a CA's website and find a CA-specific OID value? why does anybody pay for this poo poo any more when it's been years since anyone could tell the difference between DV and EV
|
# ? Mar 16, 2024 17:46 |
|
That's why it's only $40, OP.
|
# ? Mar 16, 2024 17:57 |
|
raymond t racing’s guide to certificates Step 1 install caddy step 2: gently caress off for the rest of the day and bill for the whole day
|
# ? Mar 16, 2024 18:13 |
|
Volmarias posted:That's why it's only $40, OP. yeah $40 is the bargain basement "SSLs.com" price. name brand entrust EV SSL certs are about $382/year.
|
# ? Mar 16, 2024 18:20 |
|
zero knowledge posted:there’s no yet, automating EV issuance is impossible by definition. EV CAs are required to verify things like whether a subscriber is an authorized representative of some entity like a corporation or a government. that’s not something you can write an rfc for and automate the way that you can for verifying control of a DNS name for DV. yeah, I don’t know where Entrust dude is headed with his ACME RFC but I’m sure it’s nowhere good shackleford posted:fuckin' lol that entrust guy on the mozilla bug is the vice chairperson of the CA/Browser forum nobody wants that position. it’s basically a sign that you don’t have enough work to do at your real job, pure time wasting
|
# ? Mar 17, 2024 00:42 |
|
Subjunctive posted:yeah, I don’t know where Entrust dude is headed with his ACME RFC but I’m sure it’s nowhere good feels like a delay and pray move tbh
|
# ? Mar 17, 2024 03:30 |
|
Progressive JPEG posted:feels like a delay and pray move tbh if I understand the chronology, all this poo poo predated them making the bad change to issuance, so I’m even more confused than if it were just closing the barn door after the horse has burned his house down
|
# ? Mar 17, 2024 06:00 |
|
i miss the CA/B forum twitter bot that was supposed to tweet random bits from the minutes but broke and repeatedly tweet the same thing over and over again by miss i mean "i can't find it anymore"
|
# ? Mar 17, 2024 06:19 |
|
I looked around at bugzilla, and another CA having a great time is buypass. back in june they filed a notice[1] that they'd made an error in an issuance, they checked the wrong email address. "this was an error in our manual verification process but don't worry we won't do it again". someone asked for clarification, and they mentioned that "The CAA record lookup is done using external DNS tools", i.e. https://toolbox.googleapps.com/apps/dig/. they of course got dinged for that (as a CA they're not supposed to delegate that to an unaudited third party), and created a new issue[2] to correct that. then it came out that their automated verification uses 8.8.8.8 for lookups, and guess what, new issue (filed on december 29th[3] too, oof). one of the issues is that google public dns isn't guaranteed to verify dnssec. but of course all those automated certs needed to be revoked [4] overall I would say that the people responding to the issues were very professional, and someone questioned google trust services about using the google public infrastructure[5] (and potentially not always verifying dnssec). google got questions that are as "hard" and detailed as the ones buypass got. except of course they had their ducks in a row and were able to answer the questions without going "whoops" every second question [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1838421 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1839305 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1872738 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1873739
|
# ? Mar 17, 2024 18:33 |
|
steadfast refusal to understand what a delegated third party is and you've been running certs that way since at least 2017 lol
|
# ? Mar 17, 2024 19:26 |
|
also a "we can't possibly revoke this cert too quickly, it's used in critical infrastructure!"
|
# ? Mar 17, 2024 20:37 |
|
|
# ? Jun 8, 2024 11:05 |
|
“if we have to reissue all those certs in 24 hours it proves there’s no difference between us and let’s encrypt/zerossl using ACME”
|
# ? Mar 17, 2024 21:24 |