waldiWelche Firma ist eigentlich für die Server-Infrastruktur in den Zügen der DB Fernverkehr zuständig? Diese haben ein Zertifikat für "iceportal.de", was auf den Namen von "DB Systel GmbH" ausgestellt ist. Die Domain selber gehört der "Deutsche Bahn AG".
Nicolas Fränkel 🇪🇺🇺🇦🇬🇪WebPKI and You
There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifi>airpwn, backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites. [>oid]: an OID or “Object IDentifier” is intended [brs]: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.8.pdf [crtsh]: https://crt.sh/?q=blog.brycekerley.net [lol-diginotar]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates [iv-ocsp]: https://www.imperialviolet.org/2011/03/18/revocation.html [>mac-ocsp]: Jeff Johnson’s [>crlite]: these use cascading bloom filters which [>short-lived]: the CA/BF baseline requirements [trustico-chrome]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [trustico-gone]: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/ [trustico-compromise]: https://groups.google.com/g/mozilla.dev.security.policy/c/wxX4Yv0E3Mk/m/o1cdfx2nAQAJ [>enclaves]: Amazon Web Services (AWS) and [>history]: i mean, i remember from when it happened [>parasite]: You may have realized that I don’t think [van-halen]: https://snackstack.net/2023/07/03/in-search-of-van-halens-brown-mms/ [>osi]: I’m not going to hit you with a [>responsibility]: in every part of your life! [>bloom]: [>later]: At time of publishing, it’s March 8, 2026 [hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security [>hsts]: This is generally a hardcoded value, [>cattle]: “cattle” is when there’s [ari]: https://letsencrypt.org/2025/09/16/ari-rfc [>caddy-ari]: I checked Caddy, the front-end server [>left]: there may be value in trying to renew [audits]: https://cabforum.org/about/information/auditors-and-assessors/audit-criteria/
GripNews🌘 WebPKI 與你:網路安全基礎設施的社會與技術剖析
➤ 從證書頒發機構的權力遊戲看現代網路信任危機
✤ https://blog.brycekerley.net/2026/03/08/webpki-and-you.html
本文深入探討網路公鑰基礎設施(WebPKI)的運作機制與其背後的政治與社會意義。作者指出,WebPKI 不僅僅是數據中心的硬體架構,更是一個由多方博弈、受利益驅動的複雜管理體系。文章透過梳理 HTTPS 的演進史,詳細解析了從證書核發、域名驗證(DV)到組織驗證(OV/EV)的流程,並揭示了在這個必須「信任」的系統中,當證書核發機構(CA)出現管理紕漏時,整個網路生態將面臨多大的風險。
+ 這篇文章把 WebPKI 的技術複雜度與社會政治層面連結得很棒,特別是提到 CA 與瀏覽器廠商之間的利益關係,這通常是技術文件中被忽略的部分。
+ 對於剛入門網路安全的人來說,這是很好的科普。但坦白說,看到 WebPKI 這種結構,依然會對現代網路的信任根基感到有些脆弱。
#網路安全 #WebPKI #HTTPS #加密技術 #數位憑證
➤ 從證書頒發機構的權力遊戲看現代網路信任危機
✤ https://blog.brycekerley.net/2026/03/08/webpki-and-you.html
本文深入探討網路公鑰基礎設施(WebPKI)的運作機制與其背後的政治與社會意義。作者指出,WebPKI 不僅僅是數據中心的硬體架構,更是一個由多方博弈、受利益驅動的複雜管理體系。文章透過梳理 HTTPS 的演進史,詳細解析了從證書核發、域名驗證(DV)到組織驗證(OV/EV)的流程,並揭示了在這個必須「信任」的系統中,當證書核發機構(CA)出現管理紕漏時,整個網路生態將面臨多大的風險。
+ 這篇文章把 WebPKI 的技術複雜度與社會政治層面連結得很棒,特別是提到 CA 與瀏覽器廠商之間的利益關係,這通常是技術文件中被忽略的部分。
+ 對於剛入門網路安全的人來說,這是很好的科普。但坦白說,看到 WebPKI 這種結構,依然會對現代網路的信任根基感到有些脆弱。
#網路安全 #WebPKI #HTTPS #加密技術 #數位憑證
WebPKI and You
There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifi>airpwn, backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites. [>oid]: an OID or “Object IDentifier” is intended [brs]: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.8.pdf [crtsh]: https://crt.sh/?q=blog.brycekerley.net [lol-diginotar]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates [iv-ocsp]: https://www.imperialviolet.org/2011/03/18/revocation.html [>mac-ocsp]: Jeff Johnson’s [>crlite]: these use cascading bloom filters which [>short-lived]: the CA/BF baseline requirements [trustico-chrome]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [trustico-gone]: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/ [trustico-compromise]: https://groups.google.com/g/mozilla.dev.security.policy/c/wxX4Yv0E3Mk/m/o1cdfx2nAQAJ [>enclaves]: Amazon Web Services (AWS) and [>history]: i mean, i remember from when it happened [>parasite]: You may have realized that I don’t think [van-halen]: https://snackstack.net/2023/07/03/in-search-of-van-halens-brown-mms/ [>osi]: I’m not going to hit you with a [>responsibility]: in every part of your life! [>bloom]: [>later]: At time of publishing, it’s March 8, 2026 [hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security [>hsts]: This is generally a hardcoded value, [>cattle]: “cattle” is when there’s [ari]: https://letsencrypt.org/2025/09/16/ari-rfc [>caddy-ari]: I checked Caddy, the front-end server [>left]: there may be value in trying to renew [audits]: https://cabforum.org/about/information/auditors-and-assessors/audit-criteria/
N-gated Hacker News🔐 Wanna read about #WebPKI to feel smart? Well, this site boasts about #HTTPS while rocking an expired cert. 🤦♂️ It's like a security guard locked outside his own building, yelling about safety! 🚫🔒
https://blog.brycekerley.net/2026/03/08/webpki-and-you.html #SecurityExpired #CertFail #SafeGuard #HackerNews #ngated
https://blog.brycekerley.net/2026/03/08/webpki-and-you.html #SecurityExpired #CertFail #SafeGuard #HackerNews #ngated
WebPKI and You
There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifi>airpwn, backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites. [>oid]: an OID or “Object IDentifier” is intended [brs]: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.8.pdf [crtsh]: https://crt.sh/?q=blog.brycekerley.net [lol-diginotar]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates [iv-ocsp]: https://www.imperialviolet.org/2011/03/18/revocation.html [>mac-ocsp]: Jeff Johnson’s [>crlite]: these use cascading bloom filters which [>short-lived]: the CA/BF baseline requirements [trustico-chrome]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [trustico-gone]: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/ [trustico-compromise]: https://groups.google.com/g/mozilla.dev.security.policy/c/wxX4Yv0E3Mk/m/o1cdfx2nAQAJ [>enclaves]: Amazon Web Services (AWS) and [>history]: i mean, i remember from when it happened [>parasite]: You may have realized that I don’t think [van-halen]: https://snackstack.net/2023/07/03/in-search-of-van-halens-brown-mms/ [>osi]: I’m not going to hit you with a [>responsibility]: in every part of your life! [>bloom]: [>later]: At time of publishing, it’s March 8, 2026 [hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security [>hsts]: This is generally a hardcoded value, [>cattle]: “cattle” is when there’s [ari]: https://letsencrypt.org/2025/09/16/ari-rfc [>caddy-ari]: I checked Caddy, the front-end server [>left]: there may be value in trying to renew [audits]: https://cabforum.org/about/information/auditors-and-assessors/audit-criteria/
Hacker NewsWebPKI and You
https://blog.brycekerley.net/2026/03/08/webpki-and-you.html
#HackerNews #WebPKI #WebSecurity #DigitalCertificates #InternetSafety #CyberSecurity #TechEducation
WebPKI and You
There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifi>airpwn, backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites. [>oid]: an OID or “Object IDentifier” is intended [brs]: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.8.pdf [crtsh]: https://crt.sh/?q=blog.brycekerley.net [lol-diginotar]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates [iv-ocsp]: https://www.imperialviolet.org/2011/03/18/revocation.html [>mac-ocsp]: Jeff Johnson’s [>crlite]: these use cascading bloom filters which [>short-lived]: the CA/BF baseline requirements [trustico-chrome]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [trustico-gone]: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/ [trustico-compromise]: https://groups.google.com/g/mozilla.dev.security.policy/c/wxX4Yv0E3Mk/m/o1cdfx2nAQAJ [>enclaves]: Amazon Web Services (AWS) and [>history]: i mean, i remember from when it happened [>parasite]: You may have realized that I don’t think [van-halen]: https://snackstack.net/2023/07/03/in-search-of-van-halens-brown-mms/ [>osi]: I’m not going to hit you with a [>responsibility]: in every part of your life! [>bloom]: [>later]: At time of publishing, it’s March 8, 2026 [hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security [>hsts]: This is generally a hardcoded value, [>cattle]: “cattle” is when there’s [ari]: https://letsencrypt.org/2025/09/16/ari-rfc [>caddy-ari]: I checked Caddy, the front-end server [>left]: there may be value in trying to renew [audits]: https://cabforum.org/about/information/auditors-and-assessors/audit-criteria/
CertKitMarch 15 is last call on 398-day certificates. After that, 200-day max, 100 in 2027, 47 in 2029.
Renew now and you buy yourself time to automate on your terms. Wait, and the CA/B Forum sets your schedule for you.
https://www.certkit.io/blog/last-call-on-398-day-certificates #PKI #WebPKI
CertKit Agent 1.6: RRAS support, deploy windows, and agent locking.
Shorter lifetimes mean certificate automation has to act like real deployments: issue, deploy, verify. Deploy windows keep disruptions inside maintenance windows, and agent locking freezes commands so UI changes can’t be weaponized.
CertKit Agent update: RRAS support, deploy windows, and agent locking
The CertKit Agent now supports Microsoft RRAS for VPN certificate management. We also added deploy windows so you can control when certificate updates happen, and agent locking to protect your infrastructure even if CertKit itself were ever compromised.
CassanderIs today a #FediHire Friday? Sure looks like it!
What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.
My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.
This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.
While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.
My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.
In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.
Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.
PMs open if you want to talk details. Boosts/retoots appreciated.
#Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork
Eckes 