<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: nickf</title><link>https://news.ycombinator.com/user?id=nickf</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Sun, 05 Jul 2026 14:50:27 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=nickf" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by nickf in "Factoring "short-sleeve" RSA keys with polynomials"]]></title><description><![CDATA[
<p>Hanno - we may have communicated before some years ago, but am more than happy to offer any help I can (if some of our customers are/were affected, happy to reach out and see if they can give you more answers as to which products).
nick (at) sectigo (dot) com</p>
]]></description><pubDate>Tue, 16 Jun 2026 11:33:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=48553591</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48553591</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48553591</guid></item><item><title><![CDATA[New comment by nickf in "Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]"]]></title><description><![CDATA[
<p>For any target of sufficient value that a government would do that, yes.
Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.</p>
]]></description><pubDate>Tue, 09 Jun 2026 21:12:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=48467833</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48467833</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48467833</guid></item><item><title><![CDATA[New comment by nickf in "Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]"]]></title><description><![CDATA[
<p>I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.</p>
]]></description><pubDate>Tue, 09 Jun 2026 11:57:04 +0000</pubDate><link>https://news.ycombinator.com/item?id=48459918</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48459918</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48459918</guid></item><item><title><![CDATA[New comment by nickf in "Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]"]]></title><description><![CDATA[
<p>ZeroSSL aren't an EU-based alternative, unfortunately.</p>
]]></description><pubDate>Tue, 09 Jun 2026 07:25:20 +0000</pubDate><link>https://news.ycombinator.com/item?id=48457763</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48457763</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48457763</guid></item><item><title><![CDATA[New comment by nickf in "Parallel Reconstruction of Lawful TLS Wiretapping"]]></title><description><![CDATA[
<p>If a cert doesn't contain the requisite number of valid SCTs from logs that are specifically usable in the browser - it will not work.</p>
]]></description><pubDate>Mon, 01 Jun 2026 09:31:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=48354532</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48354532</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48354532</guid></item><item><title><![CDATA[New comment by nickf in "What Apple and Google are doing to push notifications"]]></title><description><![CDATA[
<p>You’re right of course, but Apple won’t do it - they’re happily running a two-tier system where Uber, eBay, Doordash can force spam notifications on you with impunity. All my settings for marketing are off - eBay still sends me notifications about coupons (and additionally there’s no way to actually contact them to complain, of course). Doordash won’t let me get delivery notifications without marketing notifications.<p>Apple could fully enforce their policies and fix this in a heartbeat, but they won’t.</p>
]]></description><pubDate>Wed, 27 May 2026 21:01:31 +0000</pubDate><link>https://news.ycombinator.com/item?id=48300619</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=48300619</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48300619</guid></item><item><title><![CDATA[New comment by nickf in "WebPKI and You"]]></title><description><![CDATA[
<p>While I sort-of see what you're trying to say, if you knew the groups and teams involved - you'd know there was no favouritism and a strong degree of separation between CA and root programs.<p>The root programs who have their own CAs are also cloud providers, who arguably have a legitimate need for the CA. Or in Apple's case they have their own CA, but don't issue externally. They keep CA and root program separate.</p>
]]></description><pubDate>Thu, 12 Mar 2026 23:28:09 +0000</pubDate><link>https://news.ycombinator.com/item?id=47358698</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=47358698</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47358698</guid></item><item><title><![CDATA[New comment by nickf in "WebPKI and You"]]></title><description><![CDATA[
<p>That's absolutely incorrect. While CABF sets the 'Baseline Requirements' that ultimately go into the WebTrust audit scheme that root programs use to accept roots into their trust stores...browsers can and do set their own rules.<p>The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.</p>
]]></description><pubDate>Thu, 12 Mar 2026 23:25:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=47358679</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=47358679</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47358679</guid></item><item><title><![CDATA[New comment by nickf in "Robust and efficient quantum-safe HTTPS"]]></title><description><![CDATA[
<p>Your failure to see the problem doesn’t mean it doesn’t exist. 40x the size might not really be an issue for the hypothetical server you’ve suggested - but that isn’t the reality for the world. Many devices do HTTPS and TLS.
Not to mention the issue is more with the <i>clients</i>.
CT logs would get a lot harder to run (and they’re already not so easy).</p>
]]></description><pubDate>Sun, 01 Mar 2026 20:48:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=47210511</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=47210511</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47210511</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>Google dominate the space because they have an active, robust trust-store program that they manage well. Apple the same. Mozilla and Microsoft too (though to a lesser extent).<p>If any ecosystem - such as XMPP - wishes to, they could start their own root-program, but many simply copy what Chrome or Mozilla do and then are surprised when things change.</p>
]]></description><pubDate>Tue, 10 Feb 2026 15:45:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=46961362</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46961362</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46961362</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>Not really, no. There are a number of reasons for cert lifetimes being made shorter.</p>
]]></description><pubDate>Tue, 10 Feb 2026 12:43:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=46958980</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46958980</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46958980</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>A public CA checks it one-time, when it's being issued. 
Most/all mTLS use-cases don't do any checking of the client cert in any capacity. Worse still, some APIs (mainly for finance companies) require things like OV and EV, but of course they couldn't check the Subject DN if they wanted to.<p>If it's for auth, issue it yourself and don't rely on a third-party like a public CA.</p>
]]></description><pubDate>Mon, 09 Feb 2026 23:14:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=46952944</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46952944</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46952944</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>Eh, it's pretty easy to impersonate if the values in the certificate aren't checked, and you could get one from any of a list of public CAs.<p>If you're relying on a certificate for authentication - issue it yourself.</p>
]]></description><pubDate>Mon, 09 Feb 2026 22:54:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=46952741</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46952741</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46952741</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.</p>
]]></description><pubDate>Mon, 09 Feb 2026 22:45:46 +0000</pubDate><link>https://news.ycombinator.com/item?id=46952659</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46952659</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46952659</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>Client authentication with publicly-trusted (i.e. chaining to roots in one of the major 4 or 5 trust-store programs) is bad. It doesn't actually authenticate anything at all, and never has.<p>No-one that uses it is authenticating anything more than the other party has an internet connection and the ability, perhaps, to read.
No part of the Subject DN or SAN is checked. It's just that it's 'easy' to rely on an existing trust-store rather than implement something secure using private PKI.<p>Some providers who 'require' public TLS certs for mTLS even specify specific products and CAs (OV, EV from specific CAs) not realising that both the CAs and the roots are going to rotate more frequently in future.</p>
]]></description><pubDate>Mon, 09 Feb 2026 22:44:38 +0000</pubDate><link>https://news.ycombinator.com/item?id=46952644</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46952644</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46952644</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming changes to Let's Encrypt and how they affect XMPP server operators"]]></title><description><![CDATA[
<p>You are correct, and the answer is - no-one using publicly-trusted TLS certs for client authentication is actually doing any authentication. At best, they're verifying the other party has an internet connection and perhaps the ability to read.<p>It was only ever used because other options are harder to implement.</p>
]]></description><pubDate>Mon, 09 Feb 2026 22:40:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=46952599</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46952599</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46952599</guid></item><item><title><![CDATA[New comment by nickf in "6-Day and IP Address Certificates Are Generally Available"]]></title><description><![CDATA[
<p>It’ll be 5 years soon.</p>
]]></description><pubDate>Sat, 17 Jan 2026 22:28:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=46662746</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46662746</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46662746</guid></item><item><title><![CDATA[New comment by nickf in "Mozilla's New CEO Confirms Firefox Will Become an "AI Browser""]]></title><description><![CDATA[
<p>I was mostly just typing out what they had listed under 'products' on their pages. I'm aware of what Mozilla do, know folks there and that have been there. 
They've been roundly criticised for adding 'products' of questionable value to their core userbase, rightly so in my opinion.</p>
]]></description><pubDate>Fri, 19 Dec 2025 09:32:45 +0000</pubDate><link>https://news.ycombinator.com/item?id=46323903</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46323903</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46323903</guid></item><item><title><![CDATA[New comment by nickf in "Mozilla's New CEO Confirms Firefox Will Become an "AI Browser""]]></title><description><![CDATA[
<p>...which is arguably the problem. Firefox. Thunderbird. That should be it. According to their own site, beyond that they have the browser app for mobile devices. A VPN service, an email-forwarding service, and MDN. Hardly 'many products'.</p>
]]></description><pubDate>Thu, 18 Dec 2025 08:04:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=46310057</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46310057</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46310057</guid></item><item><title><![CDATA[New comment by nickf in "Upcoming Changes to Let's Encrypt Certificates"]]></title><description><![CDATA[
<p>There are ways to do this as pointed out below - CNAME all your domains to one target domain and make the changes there.
There’s also a new DCV method that only needs a single, static record. Expect CA support widely in the coming weeks and months. That might help?</p>
]]></description><pubDate>Tue, 16 Dec 2025 16:46:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=46290814</link><dc:creator>nickf</dc:creator><comments>https://news.ycombinator.com/item?id=46290814</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46290814</guid></item></channel></rss>