回顧 Let's Encrypt 將在六月停止 cross-signed chain 的消息

因為收到 Cloudflare 的信,關於 Let's Encrypt 的 cross-signed chain 將在今年九月底過期的計畫,Cloudflare 這邊也有一些配合的措施會進行:

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.

去年七月的時候 Let's Encrypt 拿的是去年五月底的資料說明 (2023/05/31),這邊會看 Android 7.1+ 的佔比,當時到了 93.9%。

會看 Android 7.1 是因為從這個版本開始預設就有內建 ISRG Root X1,而不需要 IdenTrust 的 cross-sign chain 了:

剛剛開了 Android Studio 來看,最近一次更新 Android 市占率的資料是去年十月初 (2023/10/01),到 95.0% 了:

也許到九月底的時候有 97%+ 甚至 98%+ coverage,但 Android 的基數還是太大,就算到 98%+ coverage,預期到時候的影響應該還是不小,會不會再簽一年...?

Amazon CA 在 renew 時將引入動態的 Intermediate CA

上個月 AWS 發的公告,其實已經生效了,但整理的時候才發現還沒寫:「Amazon introduces dynamic intermediate certificate authorities」。

先介紹一下 Amazon CA,這是 Amazon 自己維護的 Root CA,有走過 CA/Browser Forum 的規範與稽核,以及各家瀏覽器額外的要求,所以是個用戶端預設都有信任的 CA。

這個服務後來也被用在 AWS Certificate Manager (ACM) 上,由 ACM 申請到的憑證也都可以掛到 AWS 的各種服務上。

通常 root CA 的憑證不會直接拿來簽最終使用者使用的憑證 (leaf certificate),而是 root CA 的憑證先簽 intermediate CA 的憑證,然後 intermediate CA 可能有好幾層一路簽下來,到最後面再用 intermediate CA 的憑證簽最終使用者使用的憑證。

這次公告的內容就題到了,之前的 intermediate CA 是一個固定範圍的量,而且會確保 renew 時用的 intermediate CA 跟先前的是相同的:

Before this change, Amazon maintained a limited number of intermediate CAs and issued and renewed certificates from the same intermediate CAs.

這次則是會變成動態:

With this change, leaf certificates issued to you will be signed by different intermediate CAs.

生效日期是這個月十一日,其實已經生效了:

Starting October 11, 2022 at 9:00 AM Pacific Time, public certificates obtained through ACM will be issued from one of the multiple intermediate CAs that Amazon manages.

一般的用戶端 (像是瀏覽器) 基本上應該是不會有問題,因為大多數預設都是信任 root CA,而非 intermediate CA,而這次的改變還是可以從 root CA 產生出對應的 trust chain。

官方有提到一個有可能的情況:如果你的應用程式有設定 certificate pinning 的話,應該是對 root CA 設定,而非對 intermediate CA 或是 leaf 做:

If you use intermediate CA information through certificate pinning, you will need to make changes and pin to an Amazon Trust Services root CA instead of an intermediate CA or leaf certificate.

這個也算通則,因為就 certificate pinning 想要做到的效果,對 root CA 做就就行了...

ARC (Authenticated Received Chain)

標題的 ARC 是指 Authenticated Received Chain,是前陣子在 Hacker News 上看到「Gmail accepts forged YouTube emails (john-millikin.com)」這篇才發現的東西,原文在「Gmail accepts forged YouTube emails」這邊。

作者發現 Gmail 收了從不是直接從 YouTube 發出來的信件:

主要的原因是,Gmail 除了使用標準的 SPFDKIM 判斷外,還吃上面提到的 ARC。

查了一下 ARC,標準是 RFC 8617,目前還是被標成 experimental,主打是解決 forwarding 的問題,看了一下作者群是 LinkedIn (Microsoft)、GoogleValimail

ARC 這東西與之前 Google 在強推的 AMP (然後被罰) 以及現在在推的 Signed HTTP Exchanges 都有相同的味道,無視 security & privacy concern 的東西...

Framework 筆電也遇到缺料問題,換了音源晶片

Framework 的筆電最近在社群很紅,模組化設計讓維修變容易,而且也有許多規格上的客製化空間。在「Marketplace」這頁可以看到很多東西可以換,除了比較常見的無線網卡、SSD、記憶體以外,像是主機板、鍵盤甚至連 USB、HDMI 接口都是模組。

不過這邊要提到的是 audio chip 也在這波 supply chain 的供貨問題而中招了:「Solving for Silicon Shortages」,Hacker News 上的討論「Framework: Solving for Silicon Shortages (frame.work)」也可以看一下。

從文章裡看起來是 Realtek ALC295 的交期爆炸了:

Chips that would normally have 16-20 week lead times (meaning we’d place typically binding orders that far ahead of needing parts in our hands) went up to 52 weeks. In one case, we even got notified of a 68 week lead time on a chip!

We were able to get enough Realtek ALC295 audio CODECs to develop the Framework Laptop and get through the first few months of production, but nowhere near enough to fulfill ongoing demand from the US and Canada, let alone the additional countries we’d like to ship to.

所以決定換到 Tempo 92HD95B

Luckily, we were able to find an alternative CODEC that lets us stay in production: the Tempo 92HD95B.

查了一下 datasheet,本來的 Realtek ALC295 是 QFN-48,而 Tempo 92HD95B 是 QFN-40,看起來得改不少東西... 應該是連 open market 上都翻不到而被迫換設計,跟我們家的情況也很像,看起來最近大家都哭到爆炸了 :o

Raspberry Pi 4 2GB 版本「暫時」漲價,另外 1GB 版本回歸

Raspberry Pi 宣佈 Raspberry Pi 4 的 2GB 版本將從 US$35 漲到 US$45,另外本來淘汰掉的 1GB 版本回歸,賣 US$35:「Supply chain, shortages, and our first-ever price increase」。

In February last year, we announced that we were discontinuing the 1GB variant of Raspberry Pi 4, and moving the 2GB product to our signature price of $35. We’re still glad we did this, as countless young people made use of this device as they studied from home during the pandemic.

Unfortunately, cost increases caused by the current shortage mean that this product is not currently economically viable at this reduced price point. We are therefore moving it back to $45 on a temporary basis.

To support the many industrial customers who have designed the 2GB variant of Raspberry Pi 4 into their products, we are reintroducing the 1GB variant at the $35 price point. This provides a degree of choice: less memory at the same price; or the same memory at a higher price.

然後共用 40nm 製程的 3B+ 會暫時先被降低優先權,產能會優先提供給 CM3CM3+3B

In allocating our limited stocks of 40nm silicon, we will prioritise Compute Module 3, Compute Module 3+, and Raspberry Pi 3B, and deprioritise Raspberry Pi 3B+.

整個供應鏈的情況被炸的亂七八糟...