[Info-vax] Certificates

Dave Froble davef at tsoft-inc.com
Mon Jul 24 19:48:46 EDT 2023 

On 7/24/2023 7:25 PM, Arne Vajhøj wrote:
> On 7/24/2023 1:37 PM, Simon Clubley wrote:
>> On 2023-07-24, terry-... at glaver.org <terry-groups at glaver.org> wrote:
>>> We can't forget that certificate lifetimes have become shorter and
>>> shorter - you can't buy a SSL certificate with a longer expiration date
>>> than 1 year + any time remaining on the existing certificate. I think the
>>> only reason they haven't shortened it further is that once they get it
>>> down to 180 days, there's pretty much no reason not to use Lets
>>> Encrypt unless you're a bank or similar institution. I think the SSL
>>> certificate vendors would complain that their customer base would
>>> leave if they did that.
>>>
>>
>> You can blame Apple for that piece of utterly moronic stupidity:
>>
>> https://www.theregister.com/2020/02/20/apple_shorter_cert_lifetime/
>>
>> and then Google followed:
>>
>> https://www.theregister.com/2020/06/30/tls_cert_lifespan/
>>
>> I have also just discovered this piece of utter insanity which I didn't
>> know about until a few minutes ago:
>>
>> https://www.sectigo.com/resource-library/google-announces-intentions-to-limit-tls-certificates-to-90-days-why-automated-clm-is-crucial
>>
>>
>> Complete and utter insanity. What the hell makes Google think they
>> have the right to do this??? :-(
>>
>> You were way too optimistic when you said 180 days above.
>
> Apple, Google and Mozilla decide what certificates their
> browsers will accept.
>
> Everybody can write a browser with a different policy. But
> most likely web sites and certificate issuers will want
> to support the 99.9% that use a browser from those 3.
>
> I believe the primary reason for doing this is to
> ensure that the web site is indeed owned by those
> that the certificate was issued to.
>
> And secondarily to get rid of certificates based
> on obsolete algorithms.
>
> That damn security again!!
>
> I am not convinced that the first argument is good. If the web site
> is important then something should be done in hours/days. If the web
> site is not important who cares. What web sites has a severity level
> where being faked for 1/3/6/12 months is OK but being fakes for 3/5/10
> years is a problem.
>
> Arne
>
>

Well the problem is, what do people pay for a browser?  Usually nothing.  So one 
gets what one pays for, and, what leverage is there on browser vendors?

Ever get told you cannot access a web site because they don't have adequate 
security?  To then wail "but I need what they have".  It really gets me upset. 
But I'm too lazy to write a browser.

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list