[Info-vax] Certificates
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Jul 24 16:25:03 EDT 2023
On 2023-07-24 17:37:37 +0000, Simon Clubley said:
> On 2023-07-24, terry-... at glaver.org <terry-groups at glaver.org> wrote:
>>
>> We can't forget that certificate lifetimes have become shorter and
>> shorter - you can't buy a SSL certificate with a longer expiration date
>> than 1 year + any time remaining on the existing certificate. I think the
>> only reason they haven't shortened it further is that once they get it
>> down to 180 days, there's pretty much no reason not to use Lets
>> Encrypt unless you're a bank or similar institution. I think the SSL
>> certificate vendors would complain that their customer base would
>> leave if they did that.
>>
>
> You can blame Apple for that piece of utterly moronic stupidity:
>
> https://www.theregister.com/2020/02/20/apple_shorter_cert_lifetime/
>
> and then Google followed:
>
> https://www.theregister.com/2020/06/30/tls_cert_lifespan/
>
> I have also just discovered this piece of utter insanity which I didn't
> know about until a few minutes ago:
>
> https://www.sectigo.com/resource-library/google-announces-intentions-to-limit-tls-certificates-to-90-days-why-automated-clm-is-crucial
>
>
> Complete and utter insanity. What the hell makes Google think they
> have the right to do this??? :-(
>
> You were way too optimistic when you said 180 days above.
I'm not sure I see the issue for OpenVMS, as its certificate
implementation and integrated certificate usage is approximately zilch.
Everybody's using their own, built atop OpenSSL.
Using the ACME tooling (RFC 8555) will probably involve a second box
and transfers, though—ACME hasn't been ported to OpenVMS AFAIK.
Automation helps. OpenVMS is lacking there, though.
https://ivision.com/blog/why-shorter-ssl-certificate-lifetimes/
As for shorter lifetimes, Google announced they were working on 13
months back in 2019:
https://venafi.com/blog/jury-out-whether-reducing-certificate-lifetimes-would-improve-security/0
I'd wager the browser vendors were encountering more certificate
issuance shenanigans than we will probably reasonably ever know about,
too. And we know about some.
A whole lot of effort went into weakening TLSv1.3 as part of efforts
toward easing TLS interception too, though most of those efforts seem
to have failed in the final standard.
Discussions and actually-shorter lifetimes go back to 2015, and earlier:
https://letsencrypt.org/2015/11/09/why-90-days.html
DEC/Compaq/HP/HPE does have one long-lived certificate that'll blow up
with the first signed product kit installs after 31-Dec-2028, though.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list