[Info-vax] Certificates

Arne Vajhøj arne at vajhoej.dk
Mon Jul 24 19:25:06 EDT 2023 

On 7/24/2023 1:37 PM, Simon Clubley wrote:
> On 2023-07-24, terry-... at glaver.org <terry-groups at glaver.org> wrote:
>> We can't forget that certificate lifetimes have become shorter and
>> shorter - you can't buy a SSL certificate with a longer expiration date
>> than 1 year + any time remaining on the existing certificate. I think the
>> only reason they haven't shortened it further is that once they get it
>> down to 180 days, there's pretty much no reason not to use Lets
>> Encrypt unless you're a bank or similar institution. I think the SSL
>> certificate vendors would complain that their customer base would
>> leave if they did that.
>>
> 
> You can blame Apple for that piece of utterly moronic stupidity:
> 
> https://www.theregister.com/2020/02/20/apple_shorter_cert_lifetime/
> 
> and then Google followed:
> 
> https://www.theregister.com/2020/06/30/tls_cert_lifespan/
> 
> I have also just discovered this piece of utter insanity which I didn't
> know about until a few minutes ago:
> 
> https://www.sectigo.com/resource-library/google-announces-intentions-to-limit-tls-certificates-to-90-days-why-automated-clm-is-crucial
> 
> Complete and utter insanity. What the hell makes Google think they
> have the right to do this??? :-(
> 
> You were way too optimistic when you said 180 days above.

Apple, Google and Mozilla decide what certificates their
browsers will accept.

Everybody can write a browser with a different policy. But
most likely web sites and certificate issuers will want
to support the 99.9% that use a browser from those 3.

I believe the primary reason for doing this is to
ensure that the web site is indeed owned by those
that the certificate was issued to.

And secondarily to get rid of certificates based
on obsolete algorithms.

That damn security again!!

I am not convinced that the first argument is good. If the web site
is important then something should be done in hours/days. If the web
site is not important who cares. What web sites has a severity level
where being faked for 1/3/6/12 months is OK but being fakes for 3/5/10
years is a problem.

Arne

More information about the Info-vax mailing list