| ▲ | xyzzy_plugh 2 days ago | |
Yes, I think short-lived certs are ultimately where we're headed. We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come. | ||
| ▲ | toast0 2 days ago | parent | next [-] | |
I dread supporting O(hours). Clients often have wrong clocks. I've seen some client systems that enforced 'Not Before' and interpreted the datetime as local time and there were many users of that platform in the Americas; and my CA at the time insisted that Not Before was the time of issuance... lots of fun deciding how long to keep using a revoked certificate to balance the users with working revocation vs the users with broken Not Before checking. The client system I'm aware of is very dead, but maybe other systems managed similar. | ||
| ▲ | zephyreon 2 days ago | parent | prev [-] | |
Ironically this ends up putting a ton more load on the issuers, which some others have pointed out is why revocation doesn’t scale well (other than privacy concerns, which are valid). | ||