00:35:29	Grant T.:	What version of Mailman is in Debian 11?  2.x or 3.x?
00:52:33	Grant T.:	I know of John P.
01:08:17	Karen Griffin:	Do certificates expire?
01:10:28	Anonymous Coward recording you:	The experation date can vary.
01:11:24	Grant T.:	Flag on the statement:  You must update the certificate bundle.  You can use a new bundle on older software.  (Bugs not withstanding.)
01:23:28	Grant T.:	Doesn’t the ALPACA attack come into play more so with wild card certs?
01:23:54	Sean T.:	-longName is just wrong. It should be -t or --text not -text. Who came up with these openssl flags? Have they ever used a Unix-like system before?
01:24:06	Sam:	HI Michael, I just joined the session as meetup showed that meeting is on Friday earlier and missed to join on time. Is it possible to briefly let me know the key points that I have missed
01:25:23	Grant T.:	Sam, the meeting is being recorded.  I think that should answer your question after it’s published in a few days.
01:25:24	Scarlet Tobar (skrlet13):	This meeting is being recorded Sam, you can check later
01:26:21	Bob Beck:	use short lived certificates!
01:26:25	Sam:	Replying to "Sam, the meeting is ..."

Thank you! It would be great to refer to the recording. I will look out for it
01:26:31	Sam:	Reacted to "This meeting is bein..." with 👍
01:27:20	Sean T.:	Replying to "Sam, the meeting is ..."

Archives are usually posted here in a day or so:https://www.sluug.org/resources/presentations/body.html
01:27:44	Sam:	Replying to "Sam, the meeting is ..."

Thank you!
01:28:31	Grant T.:	Replying to "use short lived cert..."

What constitutes “short”?!?!?! 😈
01:29:12	Bob Beck:	Replying to "use short lived cert…"
I typically use two weeks
01:29:36	Grant T.:	Reacted to "I typically use two ..." with 😉
01:29:55	Bob Beck:	Replying to "use short lived cert…"
since that is the normal max validity you can expect for a crl
01:32:37	Bob Beck:	Replying to "Doesn’t the ALPACA a…"
not directly.  sharing any cert between ftp and www servers for example (even if not a wildcard) allows for it
01:34:11	Grant T.:	Replying to "Doesn’t the ALPACA a..."

Looking at it from the other side and using separate certificates & names for different serves makes it quite a bit harder to have ALPACA problems.  E.g. HTTPS cert is only used on HTTPS server & port.  Difficult to try SMTPS attacks a la. ALPACA.
01:47:55	Bob Beck:	https://github.com/letsencrypt/boulder
01:49:38	Grant T.:	I’m fairly certain that OpenSSL can create constrained certs with config files.
01:50:48	Brad Jones:	Are the ACME CA servers in the trust CA lists on the 6 anchors
01:51:10	Karen Griffin:	Will AI replace certificates?
01:51:23	Grant T.:	Replying to "Will AI replace cert..."

NO!!!
01:51:38	Dmitry Rocha:	haha
01:52:32	Brad Jones:	So the ACME solution is great for internal server/devices where you can add the CA to your devices to trust it's certs?  That is how I've always understood it works, but never could find a definite answer.  Is that correct?
01:53:36	Grant T.:	Replying to "So the ACME solution..."

ACME is a protocol.
It can be used for good and bad.
01:54:15	Brad Jones:	Replying to "So the ACME solution..."

but not on public servers you want anyone to trust (from the 6 trust anchors?)
01:54:21	Grant T.:	My web server uses ACME to communicate with my CA to authenticate myself to my CA’s satisfaction and to get a new cert.
01:54:22	Bob Beck:	Replying to "So the ACME solution…"
letsencrypt is publically trusted
01:54:29	Bob Beck:	Replying to "So the ACME solution…"
and does acme
01:54:30	Grant T.:	ACME works well for public certs.
01:54:48	Bob Beck:	Replying to "So the ACME solution…"
so you can use it for a public server
01:55:22	Brad Jones:	Replying to "So the ACME solution..."

Sorry, letsencrypt is what I was meaning to talk about.. Thank you.  I just don't see it on my boxes.
01:55:35	Scarlet Tobar (skrlet13):	Replying to "Will AI replace cert..."

lol
01:55:42	josh g.:	Replying to "So the ACME solution..."

Brad, for clarity, Let's Encrypt uses ACME to have you prove you control your public-facing server, and then issues a domain cert.
01:56:07	Brad Jones:	Now I found it under intermediate. sorry.
01:58:10	Brad Jones:	Thank you, and I last looked years ago, just have not looked in recent years.
02:02:30	Sean T.:	every year some team at microsoft forgets to renew their SSL cert.
02:08:45	Bob Beck:	alt.sysadmin.recovery
02:09:11	Grant T.:	Replying to "alt.sysadmin.recover..."

😈 good luck with that.
02:22:02	Brad Jones:	not to start a flame war, but which is better, ed, or vi?
02:22:26	Grant T.:	It depends, glass terminal or printed paper?
02:23:33	josh g.:	Replying to "not to start a flame..."

The answer is "Yes" :)
02:23:37	Bob Beck:	all capital? or lower case capable terminal?
02:23:55	Grant T.:	I would want mixed case for both ed and vi
02:28:53	Sean T.:	OpenSSH is shipped by default on many recent versions of windows 10 and I think all windows 11. So probably more installed than Java
02:29:40	Grant T.:	Replying to "OpenSSH is shipped b..."

I really honestly and truly want to agree.

But my understanding is that Java is on the chip on CHIP+PIN cards.
02:30:23	Grant T.:	N4SA
02:32:18	Grant T.:	Don’t forget the network admin’s scape goat; the firewall
02:35:05	Scarlet Tobar (skrlet13):	Sorry, I gotta leave, is pretty late here. Thanks Michael and Saint Louis Linux Users Group!
02:36:27	Michael Lucas:	https://www.tiltedwindmillpress.com/
02:36:56	Michael Lucas:	my site, blog, etc  - https://mwl.io
02:38:10	Grant T.:	#MakeWords!!!
02:38:20	Brad Jones:	Yes, Thank you very much!
02:38:42	Michael Lucas:	mastodon: @mwl@io.mwl.io