(no title)
wbond | 4 years ago
This means every three months you need to re-authenticate with Apple Pay. But there is no Acme client for authenticating with Apple Pay. So instead, I was having to re-authenticate something manually every 3 months. It involved logging into an Apple Developer account, downloading a PEM file, uploading to my server and then clicking a button in the Developer Account to check the file.
After doing that dance, I happily paid for 2 year certificates from RapidSSL. Now you can only buy one year certificates. I really hope the CAB isn’t successful in making those non-conforming and requiring shorter certs.
There are plenty of other environments where certificate automation is not possible. And honestly, I haven’t seen arguments as to how on-machine automation is more secure than requiring someone be involved in the process.
While I’m dreaming about improvements to the CA ecosystem, having some way to actually prove your are the company you claim would be amazing. Instead we are actively removing support for anything that tried to provide that…
infogulch|4 years ago
wbond|4 years ago
I care more about making it easy for people to pay me than getting “free” certificates that cost me hundreds of dollars in labor costs.
Everyone talks about LE like it is perfect. I’ve just determined after using it at four different orgs that for smaller shops it tends to take more time/money to get it working than using long expiring certs deployed via an automation system.
Honestly, setting up even more automation, like you suggest Apple provide, would probably cost 5x in labor as being able to purchase 3 year certs for the next 12 years.
Automation is great when you have scale. In this case, I don’t. I tend to work at smaller companies, so I’ve never worked at an org big enough for the automation to pay off versus buying certs.
tialaramex|4 years ago
Some people might look at that and conclude Apple is the problem, but you apparently decided it's "the CA ecosystem".
You can get proof you "are the company you claim" from CAs today, both OV and EV support that capability, but let me guess, Apple doesn't make any use of that information and so once again rather than spot where the problem is, you'll give Apple a free pass and blame everybody else.
Edited to add: As to "actively removing support for anything that tried to provide that… " EV doesn't do what people expect it to do. Maybe Apple knows whether they want to do business with the Ohio Funky Rabbit Pizza or the West Virginia Funky Rabbit Pizza, but the customer has no clue that those are even different companies, much less which is which, so the whole "Let's show the company name in the browser" doesn't achieve what its proponents wanted, not least because of course it'll turn out the "Funky Rabbit Pizza" restaurant actually in Coolville Ohio isn't run by either company but instead by Generic Food Holdings Inc. registered in New York, so with an EV cert their legitimate web site says "Generic Food Holdings Inc." which is even more suspicious, not less.
JshWright|4 years ago
mdaniel|4 years ago
Did you open a ticket with Okta about that? I'd like to "me, too" and/or watch it, if so
sleevi|4 years ago
That sounds like Apple Pay is encouraging certificate pinning, and I suspect the Apple Root Program may have opinions to the contrary, given how it puts Apple users at risk to encourage pinning.