No, absolutely no, people should stop using Chrome if this is the case. Certificate management is challenging, not everyone has budgets like Google to automate this stuff. Just no.
I second this. I know of companies that have thousands of certs, sub-domain wildcard certs, sub-domain certs and while the ideal world these would be automated many of the cert providers do not yet offer a consistent standardized API if even any API at all.
Today, over 50% of the certificates issued by the Web PKI rely on ACME.
This is not a great stat to base anything on as not all sites are equal. I can see most hobby, small business sites and new greenfield deployments having certs that utilize an ACME compatible API. Older businesses will have to drop what they are doing and shift priorities to make this happen. I foresee a lot of outages if they are not careful about determining a timeline. In my experience government offices will be the most challenging to get updated and automated and that could lead to some interesting compliance and regulatory violations.
In this same proposal, we introduced the idea of making Online Certificate Status Protocol (OCSP) services optional.
This part I agree with. That privacy leak should have been deprecated ages ago especially with OCSP stapling. Stapling support needs to be more widely adopted by more TLS terminating software and hardware.
I find this comment a bit like if someone forces automation for something else, like building containers or deb/rpms of software releases (as opposed to .tgzs of the source) and this comment would be "nooo, we make thousands of releases and if we must automate it, it will be really hard on our engineers".
Yes, if you did not automate and if you buy from vendors who are not automation friendly, then it will be a certain challenge, BUT. If you actually HAVE a large deployment of manual certs, the automation would pay off rather quickly. If it is very cumbersome to renew all certs every 90 days, it can't be a breeze to do it every 365 days either.
LinuxBender|2 years ago
Today, over 50% of the certificates issued by the Web PKI rely on ACME.
This is not a great stat to base anything on as not all sites are equal. I can see most hobby, small business sites and new greenfield deployments having certs that utilize an ACME compatible API. Older businesses will have to drop what they are doing and shift priorities to make this happen. I foresee a lot of outages if they are not careful about determining a timeline. In my experience government offices will be the most challenging to get updated and automated and that could lead to some interesting compliance and regulatory violations.
In this same proposal, we introduced the idea of making Online Certificate Status Protocol (OCSP) services optional.
This part I agree with. That privacy leak should have been deprecated ages ago especially with OCSP stapling. Stapling support needs to be more widely adopted by more TLS terminating software and hardware.
IcePic|2 years ago
Yes, if you did not automate and if you buy from vendors who are not automation friendly, then it will be a certain challenge, BUT. If you actually HAVE a large deployment of manual certs, the automation would pay off rather quickly. If it is very cumbersome to renew all certs every 90 days, it can't be a breeze to do it every 365 days either.
Plasmoid|2 years ago