Hope there's a timeline in which banking and corporate apps can run/be enrolled on that. If the current geopolitical mess from the USA isn't a good-enough reason to make it happen, I don't know what is.

Oh thanks for that link, I didn't know about it, pre-ordered!

It's hard with nix to end up with a system without first having a config for that system

Use matrix instead. Or zulip. Or xmpp. Or IRC

nftables is configured like that https://wiki.nftables.org/wiki-nftables/index.php/Simple_rul...

That's the decision. Do you know the reasoning?

The primary reason: Revocation doesn’t work for webscale (OCSP is now obsolete). So instead, shorter cert lifetimes.

PS. Saw this insightful comment over on Lobsters:

“One quantitative benefit is that the maximum lifetime of certificates sets a bound on the size of certificate revocation lists. John Schanck has done heroic work on CRLite at Mozilla to compress CRLs, and the reduction from 398 days to 47 days further shrinks them by a factor of more than 8. For Let’s Encrypt the current limit is 90, so a more modest but still useful factor of 2.”

https://lobste.rs/s/r2bamx/decreasing_certificate_lifetimes_...

There are several https://gist.github.com/ptman/1b9e3a992e6c8aeecc86b5f1fd1c5f...

Before SNI every https site needed a dedicated IP address. As https got more popular SNI was introduced