covid-19 is a social disease! clear out the attic and help save lives!

The Telecom Digest for Mon, 14 Sep 2020
Volume 39 : Issue 238 : "text" format

table of contents
Re: What's New In 5G
Re: TLS Certificates Cut to One Year From This Month: What You Need to Know
Mississippi subpoenas AT&T for records on $300M project
Message-ID: <rjgd3r$214q$1@grapevine.csail.mit.edu> Date: 11 Sep 2020 17:45:31 +0000 From: "Garrett Wollman" <wollman@bimajority.org> Subject: Re: What's New In 5G To article <rje6sl$1eb9$1@grapevine.csail.mit.edu>, The Moderator appended: > I used to work in the VZ engineering group that handled SS7 and > Timing. The Engineer who worked on timing had a favorite joke: > whenever anyone asked him what time it was, he'd say "Nobody knows!" See, that was the great thing about IS-95/IS-2000: if you didn't get the time synchronization within 15 microseconds, it just wouldn't work. (Well, it would appear to work, but calls would be dropped at every handoff, which would make customers angry.) That's also why you could build a timecode receiver to use the signal without a subscription. (GSM has a time feature, but it's "wall clock time at the MTSO", not a rigorously derived timebase.) There's nothing else in telephony that depends as a business requirement on that level of clock synchronization. I have at times suspected Qualcomm engineers of designing IS-95 intentionally as a way of tricking telcos into investing in a high-quality time distribution infrastructure for the country. But it's all going away now. -GAWollman -- Garrett A. Wollman | "Act to avoid constraining the future; if you can, wollman@bimajority.org| act to remove constraint from the future. This is Opinions not shared by| a thing you can do, are able to do, to do together." my employers. | - Graydon Saunders, _A Succession of Bad Days_ (2015) ------------------------------ Message-ID: <CAH8yC8n0n9MQHP+kVrXVy29V9-BNvut65=6w1C34r_epspO-PQ@mail.gmail.com> Date: 4 Sep 2020 19:49:14 -0400 From: "Jeffrey Walton" <noloader@gmail.com> Subject: Re: TLS Certificates Cut to One Year From This Month: What You Need to Know On Thu, Sep 3, 2020 at 6:14 PM Moderator <telecomdigestsubmissions@remove-this.remove-this.telecom-digest.org> wrote: > > "It's about making sure that, if a certificate gets into someone > else's hands, it's not in someone else's hands for five years" > > As of the first of September companies cannot buy a TLS certificate > that lasts for longer than 398 days in a move designed to protect > users from compromised certificates. > > https://www.cbronline.com/news/one-year-tls-certificates Oh man, there is so much wrong with that article from a data security point of view. The security community has found key continuity is a better security property than key rotation. Use the key (or password) until it is no longer secure. Anyone doing gratuitous key (or password) rotation is using the old school of thought and weakening security in the system. Consider, Diginotar(1) was caught because of key continuity (the key changed unexpectedly), not the key lifetime (the key's time in service did not lead to the failure). Gutmann writes extensively about this in his book Engineering Security, https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf. I suspect the five years certificates are also going away due to the Race to the Bottom in the CA industry. The industry needs to boost its revenue stream because of Let's Encrypt, so it needs a shorter renewal cycle. One of the benefits of a shorter certificate lifetime is smaller CRL(2)s. Smaller CRLs is why Google uses 30-day end-entity certificates on its web properties. Smaller CRLs should help mobile clients and others who do not have a lot of bandwidth. OCSP(3) suffers the same architectural problems as CRL. OCSP uses CRL lists behind the scenes; they just moved the CRL problem around. Jeff 1. https://en.wikipedia.org/wiki/DigiNotar 2. Certificate Revocation List: see https://en.wikipedia.org/wiki/Certificate_revocation_list 3. https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ------------------------------ Message-ID: <7ea67835-c7ba-6e6c-f028-4a9bf4cd4694@billhorne.com> Date: 12 Sep 2020 22:12:40 -0400 From: Bill Horne <telecomdigestsubmissions@remove-this.telecom-digest.org> Subject: Mississippi subpoenas AT&T for records on $300M project JACKSON, Miss. - The state of Mississippi is asking multinational telecommunications conglomerate AT&T to provide records of the work it promised to do to expand broadband access in the state after the Public Service Commission gave the company almost $300 million, officials said. https://www.startribune.com/mississippi-subpoenas-at-t-for-records-on-300m-project/572393862/
