[Cryptography] Apple's 13-month certificate policy
Phillip Hallam-Baker
phill at hallambaker.com
Sat Feb 22 21:02:18 EST 2020
On Sat, Feb 22, 2020 at 8:08 PM John-Mark Gurney <jmg at funkthat.com> wrote:
> Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23 -0500:
> > Henry Baker wrote on 2/22/20 12:04 PM:
> >
> > > https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
> > ...
> > > We note Let's Encrypt issues free HTTPS certificates that expire after
> > > 90 days, and provides tools to automate renewals, so those will be
> > > just fine â?????? and they are used all over the web now.
> >
> > Yes, the auto-renewal works beautifully and eliminates a world of
> > headaches. I suspect that Apple's move will accelerate the adoption of
> > Let's Encrypt, now that everyone will have to renew more often.
>
> Or at least force other CA's to adaopt the ACME api to issue certs.
>
> Overall, it's a good thing, and IMO, even 90 days is a bit long. With
> automated renewal, 7-30 days is more than long enough.
>
With automated renewal, limit validity to 7 days and renew daily. No need
for OCSP or CRLs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200222/f61932f6/attachment.htm>
More information about the cryptography
mailing list