Home » 2017 » March

未來 CA 將會強制要求檢查 DNS CAA record

CA/Browser 通過提案,要求以後 CA 單位都要檢查 DNS CAA record 才能發放憑證 (RFC 6844 的「DNS Certification Authority Authorization (CAA) Resource Record」):「Ballot 187 - Make CAA Checking Mandatory」。

Certificate Authority Authorization (CAA) is a DNS Resource Record defined in RFC 6844 – https://datatracker.ietf.org/doc/rfc6844/ , published in January 2013. It allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.

透過 DNS CAA 資料,你可以限制只有誰可以發你的憑證,直接用白名單做控管。

未來 SSL Certificate 的最大有效時間將降到 825 天

CA/Browser Forum 通過了這項提案,將 SSL Certificate 的最大有效時間降到 825 天 (大約 27 個月):「Ballot 193 - 825-day Certificate Lifetimes」。

所以將會從本來的 39 個月降到 27 個月左右,所以現在買得到最長的 certificate 會有 3 年,以後會有 2 年:

Recent Ballot 185 demonstrated a consensus among Forum members to reduce the maximum lifetime for DV and OV certificates from 39 months to 825 days (roughly 27 months). This ballot reflects that consensus, and also reduces the maximum period for reuse of vetting data for DV and OV certificates from 39 months to 27 months.

GitHub 允許員工在閒暇時間使用公司設備創作他們自己的東西

看到「GitHub now lets its workers keep the IP when they use company resources for personal projects」這則新聞,GitHub 正式的條款在「Balanced Employee IP Agreement (BEIPA)」這邊可以看到。

如同報導所提到的,只要不與工作內容相關 (或競爭),員工都可以保留權利:

This allows its employees to use company equipment to work on personal projects in their free time, which can occur during work hours, without fear of being sued for the IP. As long as the work isn’t related to GitHub’s own “existing or prospective” products and services, the employee owns it.

NieR: Automata 將會出 HiRes 版 OST

看到 moraNieR: Automata 將會出 HiRes 版 OST:「3/29「NieR:Automata」 Original Soundtrack ハイレゾ同時配信決定!」。

2/23に発売されたアクションRPG『NieR:Automata』のゲーム内BGM を収録した、「NieR:Automata」 Original Soundtrackが 3/29ハイレゾ同時配信になります!NieRシリーズはゲームサウンドの評判が高い事でも知られていますが、今作もプロデューサー 齋藤陽介、ディレクター ヨコオタロウ、サウンドプロデューサー 岡部啓一(MONACA)の完全監修による、NieRファン、ゲーム音楽ファン必携の一枚です。

這太棒啦~

Google 宣佈對 Symantec 發行的 SSL Certficiate 的不信任計畫

GoogleRyan Sleevi 宣佈了對 Symantec 所發佈的的 SSL Certificate 的不信任計畫:「Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates」。

這邊講「不信任計畫」,主要是因為 Google Chrome 不是打算移除,而是限制 Symantec 發出的 SSL certificate 的有效期限。這有種 too big to fail 的感覺...

以市占率來看,無論是「Usage of SSL certificate authorities for websites」這邊算出來的 15.4%,或是「SSL Market Share Report」這邊算出來的 24%,移除的影響都是巨大無比,再加上歷史上最早一批 CA 公司幾乎都被 Symantec 買進去 (像是 VerisignThawte):

This compatibility risk is especially high for Symantec-issued certificates, due to their acquisition of some of the first CAs, such as Thawte, Verisign, and Equifax, which are some of the most widely supported CAs. Distrusting such CAs creates further difficulty for providing secure connections to both old and new devices alike, due to the need to ensure the CA a site operator uses is recognized across these devices.

所以不信任計畫將會不會採取移除,而是其他方式:

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. This will be accomplished by gradually decreasing the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum.

也就是後面的每一個新版的 Google Chrome 都會降低對 certificate 可以設定的有效期限,直到降到九個月 (279 天):

The proposed schedule is as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)

另外安全標示也將會被拔除:

Therefore, we propose to remove such indicators, effective immediately, until Symantec is able to demonstrate the level of sustained compliance necessary to grant such trust, which will be a period no less than a year. After such time has passed, we will consider requests from Symantec to re-evaluate this position, in collaboration with the broader Chromium community.

接下來看 Mozilla 端會不會有類似的動作了...

Archives