| ▲ | nottorp 8 hours ago | |
>which includes basically every entity that ships a popular web browser and every entity that ships certificates trusted in those browsers. So no one that actually has to renew these certificates. Hey! How long does a root certificate from a certificate authority last? 10 to 25 years? Why don't those last 120 minutes? They're responsible for the "security" of the whole internet aren't they? | ||
| ▲ | codys 5 hours ago | parent | next [-] | |
> So no one that actually has to renew these certificates. I believe google, who maintain chrome and are on the CAB, are an entity well known for hosting various websites (iirc, it's their primary source of income), and those websites do use https | ||
| ▲ | cpach 7 hours ago | parent | prev | next [-] | |
It’s capped to 15 years. In another comment someone linked to a document from the Chrome team. Here’s a quote that I found interesting: “In Chrome Root Program Policy 1.5, we landed changes that set a maximum ‘term-limit’ (i.e., period of inclusion) for root CA certificates included in the Chrome Root Store to 15 years. While we still prefer a more agile approach, and may again explore this in the future, we encourage CA Owners to explore how they can adopt more frequent root rotation.” https://googlechrome.github.io/chromerootprogram/moving-forw... | ||
| ▲ | akerl_ 8 hours ago | parent | prev [-] | |
It's almost like the threat models for CA and leaf certs are different. | ||