The concern is that a compromised device could leak a cert that is then used for attacks.
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I’m curious too: show me how it’s not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in “better safe than sorry” snake oil.
Are we trading certs lasting ‘too’ long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I’m curious too: show me how it’s not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in “better safe than sorry” snake oil.
Are we trading certs lasting ‘too’ long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
You can still use self signed certs. You just can’t use it on the public internet.
You can, but it might scare off some of your audience.