| ▲ | dpoloncsak 5 hours ago | |||||||
Isn't that why certificates expire, and the expiry window is getting shorter and shorter? To keep up with the length of time it takes someone to crack a private key? | ||||||||
| ▲ | JoshTriplett 3 hours ago | parent | next [-] | |||||||
No, it has nothing to do with the time to crack encryption. It's to protect against two things: organizations that still have manual processes in place (making them increasingly infeasible in order to require automatic renewal) and excessively large revocation lists (because you don't need to serve data on the revocation of a now-expired certificate). | ||||||||
| ▲ | shagie 5 hours ago | parent | prev | next [-] | |||||||
It's also a "how much exposure do people have if the private key is compromised?" Yes, its to make it so that a dedicated effort to break the key has it rotated before someone can impersonate it... its also a question of how big is the historical data window that an attacker has i̶f̶ when someone cracks the key? | ||||||||
| ▲ | dmitrygr 5 hours ago | parent | prev [-] | |||||||
No. The sister comment gave the correct answer. It is because nobody checks revocation lists. I promise you there’s nobody out there who can factor a private key out of your certificate in 10, 40, 1000, or even 10,000 days. | ||||||||
| ||||||||