[Cryptography] Apple's 13-month certificate policy
Raymond Burkholder
ray at oneunified.net
Sun Feb 23 01:43:30 EST 2020
On 2020-02-22 7:02 p.m., Phillip Hallam-Baker wrote:
> On Sat, Feb 22, 2020 at 8:08 PM John-Mark Gurney <jmg at funkthat.com
> <mailto:jmg at funkthat.com>> wrote:
>
> Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23
> -0500:
> > Henry Baker wrote on 2/22/20 12:04 PM:
> >
> > >
> https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
> > ...
> > > We note Let's Encrypt issues free HTTPS certificates that
> expire after
> > > 90 days, and provides tools to automate renewals, so those will be
> > > just fine â?????? and they are used all over the web now.
> >
> > Yes, the auto-renewal works beautifully and eliminates a world of
> > headaches. I suspect that Apple's move will accelerate the
> adoption of
> > Let's Encrypt, now that everyone will have to renew more often.
>
> Or at least force other CA's to adaopt the ACME api to issue certs.
>
> Overall, it's a good thing, and IMO, even 90 days is a bit long. With
> automated renewal, 7-30 days is more than long enough.
>
>
> With automated renewal, limit validity to 7 days and renew daily. No
> need for OCSP or CRLs.
Correct me if I'm wrong, but my ACME api can't automate the auto-renewal
for my email server if it doesn't have a web port open, or my HP ILO
servers for the management port, or the VPN servers with other styles of
lockdowns, .... other forms of automation are thus required, at various
levels of complexity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200222/e92b2862/attachment.htm>
More information about the cryptography
mailing list