Comments URL: https://news.ycombinator.com/item?id=47293286

Points: 9

# Comments: 1

And yeah you probably are. Only in retrospect will it be knowable if it was worth it or not. Perseverance is necessary but rarely sufficient.

I have paid less than $200/mo for this. In terms of cost, this isn't anything like having a nanny, your house paid off, or retiring at age 50. But it's interesting that for this guy, it's on the same list as those things.

In sum: I highly recommend deploying a couple hundred bucks a month to pay someone to do house chores if you have a hard time motivating yourself to do it or have housemates/partners you have to spend time arguing about it with.

liters / 100 km => m^3 / m => m^2

(volume) / (distance) => (area)

This can be interpreted as the cross-sectional area of a hypothetical trough of fuel running alongside the road, whose contents you slurp up and consume in your engine as you pass (in lieu of using fuel stored in an onboard reservoir).

But for anything where the numbers, dates, and facts matter, why even bother?

You're in the machine shop outside of town and you literally have everything you need locally to make the computer drive the 4000lb hunk of cast iron around to cut the hunk of metal into the shape and then when you open your laptop Fusion 360 randomly decides you're not logged in and you need to 2FA to get to your own damn data that's local to your box—except there is no cell service here.

Fuck. B-double-e-double-r-U-N beer run! Bring the laptop into town and make a hotspot at the gas station so you can get back into your damn cloud account and then drive back to the shop in the hills and finally send G-code to the mill. Using data and software you had on your laptop the whole damn time.

Looks like that cut isn't finishing up until 3am.

The point is, you're doing an activity that doesn't require the internet. When an application that provides functionality that doesn't require internet connectivity introduces a hard dependency on the internet, it's user-hating design, plain and simple.

Among the nerds, the backlash has started. Watch out, Fusion 360.

In the world of doing stuff with atoms, no one ever wanted their drafting table to have authentication, ACL, 2FA, or storage/backup.

I could be deeply erroneous in my understanding of X.509 but I am pretty dang sure that a self-signed cert would in fact provide that guarantee.

All certificates (self-signed or otherwise) have an associated private key. In the case of a CA-signed cert, the CA never sees the private key of the cert it's signing. So in your scenario, the server can know it's you and not someone else (assuming you kept your private key secret…) because in establishing the connection, the client signed a challenge that only the holder of the certificate's private key could correctly sign. Whether the cert is signed by a CA or self-signed doesn't change this property.

The CA-signing doesn't provide the property of unique identity—public key crypto does that already. CA-signing just provides a "chain of blessings" that gives the peers on the connection a heuristic for determining how much they should trust the identity on the other end of the line.

Unless I'm wildly mistaken!

I also cannot read comic books and, with perhaps the exception of the systemd man pages, likewise thrive on reference material.

Somewhat relatedly, I can't really do podcasts or audiobooks, either, unless they're in a foreign language, and then the challenge of comprehension provides something for my brain to latch onto.

My mental model is basically like SSH-ing into a box. All the client does is pin the server's public key fingerprint and moan if it changes. The only additional element is an affordance where the box would essentially allow all comers to create a user account and a corresponding `~/ssh/authorized_keys` with their pubkey in it.

In the web-app, of course it's not making unix user accounts, but it's associating the self-signed cert with a user account (how ever that might be implemented) the first time it sees a new cert. Whoever shows up with that cert in the future is automatically 'logged in' as the corresponding user account.

So, genuine question, what does it mean for the client cert to be potentially invalid? What could lead to that case in the system you're imagining? Under what cases would you either a) not grant a CSR in the first place or b) revoke a cert your CA signed?

Oh right, the benevolent overlords, in their wisdom, discerned that mere mortals can't be trusted with private key material.

Nevermind, move along.