| ▲ | akerl_ 9 hours ago |
| Which wider world? These changes are coming from the CAB forum, which includes basically every entity that ships a popular web browser and every entity that ships certificates trusted in those browsers. There are use cases for certificates that exist outside of that umbrella, but they are by definition niche. |
|
| ▲ | nottorp 8 hours ago | parent | next [-] |
| >which includes basically every entity that ships a popular web browser and every entity that ships certificates trusted in those browsers. So no one that actually has to renew these certificates. Hey! How long does a root certificate from a certificate authority last? 10 to 25 years? Why don't those last 120 minutes? They're responsible for the "security" of the whole internet aren't they? |
| |
| ▲ | codys 5 hours ago | parent | next [-] | | > So no one that actually has to renew these certificates. I believe google, who maintain chrome and are on the CAB, are an entity well known for hosting various websites (iirc, it's their primary source of income), and those websites do use https | |
| ▲ | cpach 7 hours ago | parent | prev | next [-] | | It’s capped to 15 years. In another comment someone linked to a document from the Chrome team. Here’s a quote that I found interesting: “In Chrome Root Program Policy 1.5, we landed changes that set a maximum ‘term-limit’ (i.e., period of inclusion) for root CA certificates included in the Chrome Root Store to 15 years. While we still prefer a more agile approach, and may again explore this in the future, we encourage CA Owners to explore how they can adopt more frequent root rotation.” https://googlechrome.github.io/chromerootprogram/moving-forw... | |
| ▲ | akerl_ 8 hours ago | parent | prev [-] | | It's almost like the threat models for CA and leaf certs are different. |
|
|
| ▲ | michaelt 8 hours ago | parent | prev [-] |
| About 99.99% of people and organisations are neither CAs nor Browsers. Hence they have no representation in the CAB Forum. Hardly 'by definition niche' IMHO. |
| |
| ▲ | akerl_ 8 hours ago | parent [-] | | The pitch here wasn't that only a few people get a vote, it was that the people making the decisions aren't aware of how "the wider world" works. And they are, clearly. The people making Chrome/Firefox and the people running the CAs every publicly-trusted site uses are aware of what their products do, and how they are used. | | |
| ▲ | themafia an hour ago | parent [-] | | They're aware of the major use cases. I doubt the minority cases are even on their radar. So great for E-Commerce, not so great for anyone else. |
|
|
