| ▲ | dmitrygr 5 hours ago |
| Which is yet another chore. And it doesn’t add any security. A certificate expired yesterday proves I am who I am just as much as it did yesterday. As long as the validity length is shorter than how long it would take somebody to work out the private key from the public key, it is fine. |
|
| ▲ | bombcar 5 hours ago | parent | next [-] |
| Shortening certificate periods is just their way of admitting that certification revocation lists are absolutely worthless. |
| |
| ▲ | nightpool 5 hours ago | parent | next [-] | | No, they're not useless at all. The point of shortening certificate periods is that companies complain when they have to put customers on revocation lists, because their customers need ~2 years to update a certificate. If CRLs were useless, nobody would complain about being put on them. If you follow the revocation tickets in ca-compliance bugzilla, this is the norm—not the exception. Nobody wants to revoke certificates because it will break all of their customers. Shortening the validity period means that CAs and users are more prepared for revocation events. | | |
| ▲ | pas 4 hours ago | parent [-] | | ... what are the revocation tickets about then? how is it even a question whether to put a cert on the CRL? either the customer wants to or the key has been compromised? (in which case the customer should also want to have it revoked ASAP, no?) can you elaborate on this a bit? thank you! | | |
| ▲ | bombcar 3 hours ago | parent [-] | | From my experience the biggest complaints/howlings are when the signing key is compromised; e.g., your cert is valid and fine, but the authority screwed up and so they had to revoke all certs signed with their key because that leaked. E.g., collateral damage. |
|
| |
| ▲ | nathanaldensr 5 hours ago | parent | prev [-] | | Right. It's the same debate about how long authorization cookies or tokens should last. At one point in time--only one--authentication was performed in a provable enough manner that the certificate was issued. After that--it could be seconds, hours, days, years, or never--that assumption could become invalid. |
|
|
| ▲ | danesparza 5 hours ago | parent | prev | next [-] |
| An expired cert is a smell. It shows somebody isn't paying attention. And a short expiration time absolutely increases security by reducing attack surface. |
| |
| ▲ | dmitrygr 5 hours ago | parent | next [-] | | It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them. | | |
| ▲ | organsnyder 5 hours ago | parent [-] | | Compared to the manual processes these scripts replaced, I'd put more trust in the automations. | | |
| |
| ▲ | ajsnigrutin 5 hours ago | parent | prev [-] | | Or that someone asked to renewed it, one of their four bosses didn't sign off the apropriate form, the only person to take that form to whoever does the certs is on a vacation, person issuing certs needs all four of his bosses to sign it off, and one of those bosses has been DOGE-ed and not yet replaced. expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure. | | |
| ▲ | hananova 4 hours ago | parent | next [-] | | The whole point of these shorter certificate durations is to force companies to put in automation that doesn't require 14 layers of paperwork. Some companies will be stubborn, and will thus be locked in an eternal cycle of renew->get paperwork started for renew. Most will adapt. | |
| ▲ | danesparza an hour ago | parent | prev [-] | | Humbly, I disagree with you. What better use of our tax dollars than to automate away as many problems as we can? |
|
|
|
| ▲ | allthetime 5 hours ago | parent | prev | next [-] |
| "yet another chore" use cloudflare, never think about it. or use certbot, never think about it. |
| |
| ▲ | dmitrygr 5 hours ago | parent [-] | | I am curious how long the approval process in some large corp or the military would be for either of those options... Hand over our private keys to a third party or run this binary written by some volunteers in some basements who will not sign a support contract with us... | | |
| ▲ | icedchai 3 hours ago | parent | next [-] | | I've worked with large "enterprises" that refuse to use the easy-to-automate certificate services, including AWS Certificate Manager. They would rather continue to procure certificates through a third party, email around keys, etc. They somehow believe these archaic practices are more secure. | |
| ▲ | hananova 4 hours ago | parent | prev | next [-] | | Well they can either automate it, or soon spend literally every waking moment in a cycle of paperwork to chase the next renewal. The whole point was to force automation, and if corps want to be stubborn that's no skin of my back, the shorter durations are coming regardless. | |
| ▲ | allthetime 4 hours ago | parent | prev [-] | | In this case some manual work may need to be done. |
|
|
|
| ▲ | dpoloncsak 5 hours ago | parent | prev [-] |
| Isn't that why certificates expire, and the expiry window is getting shorter and shorter? To keep up with the length of time it takes someone to crack a private key? |
| |
| ▲ | JoshTriplett 3 hours ago | parent | next [-] | | No, it has nothing to do with the time to crack encryption. It's to protect against two things: organizations that still have manual processes in place (making them increasingly infeasible in order to require automatic renewal) and excessively large revocation lists (because you don't need to serve data on the revocation of a now-expired certificate). | |
| ▲ | shagie 5 hours ago | parent | prev | next [-] | | It's also a "how much exposure do people have if the private key is compromised?" Yes, its to make it so that a dedicated effort to break the key has it rotated before someone can impersonate it... its also a question of how big is the historical data window that an attacker has i̶f̶ when someone cracks the key? | |
| ▲ | dmitrygr 5 hours ago | parent | prev [-] | | No. The sister comment gave the correct answer. It is because nobody checks revocation lists. I promise you there’s nobody out there who can factor a private key out of your certificate in 10, 40, 1000, or even 10,000 days. | | |
|
