iOS 13 與 macOS 10.15 對憑證的限制

Slack 上看到同事丟出來的,關於之後要推出的 iOS 13 與 macOS 10.15 會對憑證限制的項目:「Requirements for trusted certificates in iOS 13 and macOS 10.15」。

主要是把不安全的演算法淘汰掉 (RSA 小於 2048 bits,以及 SHA-1 類的 hash algorithm),這兩個部份相關的新聞應該不少,沒有什麼太大問題:

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

然後是要求憑證使用 SAN (Subject Alternative Name),舊的標準 CN (CommonName) 將不會再被信任。

如果是公開簽發的憑證應該都沒問題 (像是 Let's Encrypt,或是花錢買的那些),主要的問題應該會出現在自己建立的憑證,網路上蠻多舊資料還是產生 CN...

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

另外是 2019/7/1 之後發出的憑證,有額外兩個規範要注意,第一個是強制要透過 EKU 指定 id-kp-serverAuth,這是出自 RFC 5280

   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   -- TLS WWW server authentication
   -- Key usage bits that may be consistent: digitalSignature,
   -- keyEncipherment or keyAgreement

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

再來是時間的限制,接下來的憑證最長只認得 825 天 (大約 27 個月多一些),以前都惡搞 -days 3650,現在得兩年簽一次了:

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

整體看起來主要是影響自己簽的部份...

加州的手機防竊提案讓失竊率下降不少...

2013 的時候提過「加州的手機防竊提案...」,後來在 2015 年生效:

In a press release sent to reporters on Thursday, George Gascón said that since the law went into effect on July 1, 2015[,]

在兩大陣營都有類似的功能:

Such a kill switch has become standard in all iPhones ("Activation Lock") and Android phones ("Device Protection") since 2015.

而執行到現在已經兩年了,手機的失竊率下降不少:「San Francisco DA: Anti-theft law results in huge drop in stolen phones」。

[S]martphone-related robberies have fallen 22 percent from 2015 to 2016. When measured from the peak in 2013, "overall robberies involving smartphones have declined an astonishing 50 percent."

變成要找人殺肉才能處理,增加被竊後的處理難度與成本...

電視節目上表演從 Amazon Echo 買東西...

然後觀眾家裡的 Amazon Echo 就跟著買了 XDDD:「TV anchor says live on-air 'Alexa, order me a dollhouse' – guess what happens next」。

A San Diego TV station sparked complaints this week – after an on-air report about a girl who ordered a dollhouse via her parents' Amazon Echo caused Echoes in viewers' homes to also attempt to order dollhouses.

舊金山要求新的建築物都必須有太陽能設備

舊金山通過在 2017 年之後的建築物必須有 15% 的屋頂面積必須是太陽能相關的設備:「San Francisco Is Requiring Solar Panels on All New Buildings」:

The ordinance, passed unanimously by the city’s Board of Supervisors, extends an existing California law which requires 15 percent of roof space on new buildings to be “solar ready” — available and unshaded. That ordinance applies to residential or commercial buildings 10 stories or shorter.

也就是說,可以是太陽能的發電,也可以是太陽能集熱的設備:

Under the new ordinance, which will go into effect in 2017, new buildings need to have solar energy of some kind installed, either electricity-generating panels or solar heating units.

希望在 2020 年達到 100% 再生能源的目標:

San Francisco took a major step toward its own goal of meeting the city’s electricity demands with 100 percent renewable energy by 2020.

這成為美國第一個主要城市通過這樣的規範:

This week, San Francisco became the first major U.S. city to require all new buildings to have solar panels on their roofs, according to Scott Wiener, the city supervisor who introduced the bill.

Google 在舊金山與洛杉磯開始宅配生鮮食品...

Google Express 延伸業務到生鮮食品上:「Google Launches Fresh-Grocery Deliveries」,與生鮮業者合作。

Google said it would begin delivering produce, meat, eggs and other perishable goods on Wednesday in parts of San Francisco and Los Angeles. The service is part of Google Express, which partners with retailers in some U.S. cities to deliver goods to consumers within hours of an order.

而且是當日配送:

Alphabet Inc.'s Google is expanding its same-day delivery service to fresh groceries, the latest example of the tech titan’s increasing push into consumers’ daily lives.

我以為會掛在 Alphabet 下做,而不是在 Google 下做...

Zynga 在舊金山的辦公室出售

Zynga 因為從全盛時期的 3500 人降到現在的 2300 人,決定賣掉在舊金山的辦公室:「Zynga puts its San Francisco headquarters up for sale」。

而且預定會賺一大筆:

Zynga acquired the space, which was once the U.S. headquarters of Sega, for $228 million. Now it maybe worth much more, given the boom in San Francisco real estate.

果然房地產才是王道 (酸) XDDD

舊金山最大的計程車行 Yellow Cab 打算申請破產

舊金山最大的計程車行 Yellow Cab 打算申請破產:「Yellow Cab to file for bankruptcy」:

Martinez wrote that the co-op plans to file for bankruptcy in one month. The letter was dated Dec. 10, 2015. The Examiner learned of it after rumors about the bankruptcy began to spread in the taxi driver community.

出自 Yellow Cab 給司機的文件:「Yellow-Cab-Bankruptcy-Letter」。UberLyft 這類服務的出現,利用科技改善了計程車常見的缺陷,接下來跟不上改變的傳統車行 (不論是美國還是台灣) 只會逐步被淘汰掉。

「行走路線透過 GPS 記錄,而可事後被檢視」是很大的改善,而「搭完後不評價就沒辦法再叫車」(至少 Uber 是強制性的) 也使得 Uber 累積了大量的回饋資訊,加速淘汰有問題的司機。這兩個是對消費者搭乘品質有最直接影響的項目。

再加上「沒有沒關係,但有也很好」的「線上信用卡付款」,可以猜測傳統計程車行業會一直被壓縮空間,像是非市區營運,或是定點排班,讓搭乘車不用叫就有車的優勢 (像是南港軟體園區二期外面)。

Spark Summit 2013 第一天心得...

在舊金山參加 Spark Summit 2013,結論:

  • 所有用 Spark 的公司或是單位都有共通的原因而改用 Spark:效能。其他提到的 feature 都不是真正一定要用 Spark 的原因。換 Spark 後可以多用這些 feature 是加分,但沒有也 ok,重點還是在效能。
  • 會發現幾乎所有人都用 Scala,對其他語言的支援大多都還在發展。比較驚訝的是大家完全不想提 Java... Python 倒是還提過幾次 XD

所以只拿 Spark 當 MR-framework 也是很夠值得用的,如果要用 Streaming (Real-time processing) 的話,效能提升會更明顯。

然後,不要想用其他程式語言,乖乖的用 Scala 吧...

另外 Hadoop Streaming 跟 Spark Streaming 講的是不一樣的東西,在會場上講 Streaming 一般都講 Real-time processing,這點在會場的時候差點轉不過來 :o