I'm sorry, but WTF. 99% of Word users never use more than 10% of the functionality, none of which really changed in the last 20 years. Situation is a bit better for Excel, but even then, real user functionality hasn't changed in a very long time. The only part LibreOffice can't do is important Desktop Publishing Word files 1:1, but even Word fails that across versions. I have no idea why you would even *need* hardware acceleration for an effing office suite.

No one is forcing Apple to host all apps listed in the app store. The market fee is also completely out of proportion for most apps, just look at the amount of profit Apple makes from the App Store. Just to avoid any confusion: Google isn't any better.

So you want a school admin to coordinate possible alternatives for 20+ kids in a class? Good luck. There are much easier alternatives like having a special communication area etc. Don't get me wrong, I'm generally in favor of restricting the use of mobile phones in schools. I have enough experience volunteering for after-school clubs to understand the impact. But we all know that the devil is in the details and there are enough moronic admins running around already that believe e.g. a blood sugar monitor must be restricted.

The point is to inform them *before* the last class, so that they actually have time to come.

It's not a moral panic, there is actual evidence that a general cell phone ban does help. A lot.

There are legitimate reasons, e.g. informing parents that some classes at the end of the day have been cancelled. But they are rare.

Most of the rest of the world has a caller-pays scheme. It's not perfect, but it motivates telcos to keep scammers out of their network as they actually cost money.

I'm personally more willing to bet on Fusion.

It would confuse Americans?

The expansion of the Sahara was anything but normal. It's one of two well documented cases of human mass agriculture completely fucking up some of the most productive land on the planet (at the same). The other case of course is Mesopotamia.

I never had to manually accept a certificate for WiFi. Guess I was holding it wrong. Oh wait, no. Those RADIUS servers had competent admins that served a certificate chain to a trust root. I guess it explains why you are retied when you still couldn't figure out automation of certificate rollover..

I've written the code and administrated the systems over the last twenty years. I've heard the excuses, too. Have you? Let me blow your mind for moment. Protocols like Kerberos had support for renewing a ticket automatically without need for human intervention for 30 years. It's a solved problem. It's not even hard to automatically validate the replacement certificate in a way that is better than whatever human compliance tests will make you do, e.g. check the validation time, ensure that the same trust anchors are used etc. Maybe just accept that your Enterprise VPN is shit if it tells you that a certificate rotation needs a restart or disconnecting running connections.

No, it doesn't mean anything like that. The certificate is only used during a very brief window of a connection, the initial handshake for computing a symmetric key. The software complexity is nothing more than a reader-writer lock and a pointer update (or something slightly more involved if you want to keep it lock-free). Same for VPNs. If your software or appliance can't do that, it is just badly designed.

Please read again what I wrote. You can certainly buy CA certificates (with appropriate restrictions, e.g. to a specific domain like a wildcard certificate) on the market and those intermediary certificates have much longer time limits. It's a costly option, in part due to the audits involved, but certainly possible if you have the somewhat unusual constraints of not controlling the clients of the air-gapped system as well.

The pedantic answer: your problem is not the changing the certificate, but distributing it. It's a small but important distinction. The real answer would be: run a trusted Subordinate CA inside the air-gapped network. For the certificate of the Subordinate CA, different rules apply.