Hacker News: mcpherrinm

New comment by mcpherrinm in "Gov.uk has replaced Stripe with Dutch provider Adyen"

mcpherrinm — Fri, 05 Jun 2026 19:29:47 +0000

It's the list here:

https://docs.adyen.com/plugins#built-by-adyen

New comment by mcpherrinm in "A Post-Quantum Future for Let's Encrypt"

mcpherrinm — Thu, 04 Jun 2026 03:04:12 +0000

The best introduction to verifiable indexes I know of offhand is https://www.youtube.com/watch?v=gfrXTgmbS1s and https://github.com/transparency-dev/incubator/tree/main/vind...

New comment by mcpherrinm in "A Post-Quantum Future for Let's Encrypt"

mcpherrinm — Thu, 04 Jun 2026 02:33:18 +0000

Yes, many of the problems from CT are fixed. I wouldn't call it a "broken mess" though, as it has been relatively effective at detecting various problems, and to my knowledge hasn't been compromised.

There are no SCTs, which were a compromise to get CT shipped. Each Merkle Tree Certificate has an actual inclusion proof in it.

CT has multiple independent logs, and requires certs to be logged to 2+ of them. With MTC, you have one issuing log, along with signatures from other "witnesses" which monitor and mirror log integrity. Those co-signatures are validated when checking the certificate.

Thus the witness network makes it much harder for logs to fork, as you can't present a forked view to just the client. You also need to present it to a witness. And it'll be much easier for folks to check all the witnesses are in sync.

Monitoring the MTC logs will be easier than CT, as they'll actually be smaller than CT for a few reasons. At least for the initial version, there won't be a better way to monitor for mis-issued certificates for a particular domain than linear scanning all certificates, but that's a problem being worked on for both CT and MTC, called "verifiable indexes".

New comment by mcpherrinm in "A Post-Quantum Future for Let's Encrypt"

mcpherrinm — Wed, 03 Jun 2026 21:01:48 +0000

On Linux and similar systems, I'm hoping github.com/rustls/upki will handle landmark distribution, and that non-browser clients can use that. Of course Rustls will support their own project, but I'm hopeful other TLS stacks do too. Ubuntu announcing they're deploying it should help with that.

On other OSes (like Mac OS and Windows), there's also OS-level services which could support this.

It would be a shame if we end up with a bunch of copies of this data, so I think a shared OS service is the only reasonable approach.

The hardest part is going to be smaller embedded systems.

New comment by mcpherrinm in "A Post-Quantum Future for Let's Encrypt"

mcpherrinm — Wed, 03 Jun 2026 20:41:55 +0000

Great question! Of course, we'll continue to provide more information as we firm up more details. This is an area that's not locked down yet, but I can give a sneak preview of what it might look like.

We expect batches to be produced quickly, on the same order of magnitude as current CT logs - somewhere in the 0.5s to 5 second range. This is an existing problem since (at least some) CT logs do the same batched behaviour.

Now, there is a catch with MTCA: That gets you a "standalone" certificate, which works just like a certificate does today. But it's big, still. To get the new, small certificates (landmark-relative), you will have to wait for the next landmark. Based on current planning and discussions with Chrome, we expect that to be hourly for short-lived certs, and 4 hours for longer-lived certificates.

So you'll get a big cert instantly, but you might have to wait an hour or 4 to get a certificate. So your new website can be online quickly, but with some downsides until you get the small landmark-relative cert.

(I work at Let's Encrypt)

New comment by mcpherrinm in "A Post-Quantum Future for Let's Encrypt"

mcpherrinm — Wed, 03 Jun 2026 20:20:16 +0000

OpenSSH's Damien Miller has https://datatracker.ietf.org/doc/draft-miller-sshm-mldsa44-e... defining ssh-mldsa44-ed25519@openssh.com which seems more likely given the authorship.

New comment by mcpherrinm in "Parallel Reconstruction of Lawful TLS Wiretapping"

mcpherrinm — Sun, 31 May 2026 03:55:12 +0000

Even without DNSSEC, the CAA record approach can help, as it requires MITMing between the CA and the DNS server, which may be harder in some cases than just MITMing a target site.

There’s some upcoming attempts at transport security for authoritative DNS servers which might help too: https://datatracker.ietf.org/doc/html/draft-hoffman-deleg-se...

New comment by mcpherrinm in "Parallel Reconstruction of Lawful TLS Wiretapping"

mcpherrinm — Sun, 31 May 2026 00:03:21 +0000

CAA checking is mandatory, so you can always restrict to a given CA.

To get complete control with DNSSEC, you also need the accounturi and validationmethod extensions (which you need to guarantee only your account can issue, and only with the DNS validation type).

Those aren't yet mandatory, but you can restrict to a CA today which implements them, like Let's Encrypt.

New comment by mcpherrinm in "Stop Advertising in Your Commits"

mcpherrinm — Tue, 26 May 2026 19:29:44 +0000

The post seems to be down so I am not quite sure what it says, but Co-Authored-By trailer is what Claude does. I'm not quite clear what you're suggested that's different from what Claude does - just default to off instead of default on?

> Co-Authored-By: Claude Opus 4.7

New comment by mcpherrinm in "Three men are facing charges in Toronto SMS Blaster arrests"

mcpherrinm — Mon, 27 Apr 2026 22:25:10 +0000

It doesn't matter what the network is doing; the phone needs to disable 2g. There's various ways to get the phone to downgrade to 2g otherwise, eg https://montsecure.com/files/2021_downgrade.pdf

Android has it as a toggle: https://source.android.com/docs/security/features/cellular-s...

iPhone disables it for phones in lockdown mode.

New comment by mcpherrinm in "Three men are facing charges in Toronto SMS Blaster arrests"

mcpherrinm — Mon, 27 Apr 2026 22:07:06 +0000

There's zero spam filtering interfering this way, and you can target your messages very precisely.

New comment by mcpherrinm in "Three men are facing charges in Toronto SMS Blaster arrests"

mcpherrinm — Mon, 27 Apr 2026 22:06:18 +0000

2g networks didn't have the phone verify the network, so yes they can do this.

At least as of today, most phones have an option to turn off 2g but that isn't a default.

New comment by mcpherrinm in "The difficulty of making sure your website is broken"

mcpherrinm — Fri, 10 Apr 2026 18:02:34 +0000

Yeah, Chrome only partly supports revocation (Not sure exactly the criteria, but our test sites don't match it).

The difficulty of making sure your website is broken

mcpherrinm — Fri, 10 Apr 2026 16:45:40 +0000

Article URL: https://letsencrypt.org/2026/04/10/test-sites.html

Comments URL: https://news.ycombinator.com/item?id=47720719

Points: 71

# Comments: 38

New comment by mcpherrinm in "Git commands I run before reading any code"

mcpherrinm — Wed, 08 Apr 2026 16:55:08 +0000

Git bisect is one of the important reasons IMO to always squash-merge pull requests: Because the unit of review is the pull request.

I think this is all Github's fault, in the end, but I think we need to get Github to change and until then will keep using squash-merges.

New comment by mcpherrinm in "Git commands I run before reading any code"

mcpherrinm — Wed, 08 Apr 2026 11:51:30 +0000

Squash merge is the only reasonable way to use GitHub:

If you update a PR with review feedback, you shouldn’t change existing commits because GitHub’s tools for showing you what has changed since your last review assume you are pushing new commits.

But then you don’t want those multiple commits addressing PR feedback to merge as they’re noise.

So sure, there’s workflows with Git that doesn’t need squashing. But they’re incompatible with GitHub, which is at least where I keep my code today.

Is it perfect? No. But neither is git, and I live in the world I am given.

New comment by mcpherrinm in "Woman who never stopped updating her lost dog's chip reunites with him after 11y"

mcpherrinm — Thu, 26 Mar 2026 01:16:20 +0000

Yes, it's just a number referenced in one of a few databases.

> The 15-digit pet microchip is the international standard (see ISO 11784:1996 and ISO 11785:1996)

https://www.aaha.org/for-veterinary-professionals/microchip-...

https://en.wikipedia.org/wiki/ISO_11784_and_ISO_11785

New comment by mcpherrinm in "DNS-Persist-01: A New Model for DNS-Based Challenge Validation"

mcpherrinm — Fri, 20 Feb 2026 16:30:54 +0000

It does mean Unix timestamps. The blog post doesn’t have the full details.

You can read the RFC draft at https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-pe...

It says: CAs MUST properly parse and interpret the integer timestamp value as a UNIX timestamp (the number of seconds since 1970-01-01T00:00:00Z ignoring leap seconds) and apply the expiration correctly.

New comment by mcpherrinm in "DNS-Persist-01: A New Model for DNS-Based Challenge Validation"

mcpherrinm — Fri, 20 Feb 2026 03:48:27 +0000

Note that we only do best-effort submission of final certs, so it's not actually guaranteed that they end up being logged.

New comment by mcpherrinm in "DNS-Persist-01: A New Model for DNS-Based Challenge Validation"

mcpherrinm — Thu, 19 Feb 2026 00:11:56 +0000

Two current mitigations and one future:

DNSSEC prevents any modification of records, but isn’t widely deployed.

We query authoritative nameservers directly from at least four places, over a diverse set of network connections, from multiple parts of the world. This (called MPIC) makes interception more difficult.

We are also working on DNS over secure transports to authoritative nameservers, for cases where DNSSEC isn’t or won’t be deployed.