[Cryptography] Apple's 13-month certificate policy

John-Mark Gurney jmg at funkthat.com
Sun Feb 23 02:04:30 EST 2020


Raymond Burkholder wrote this message on Sat, Feb 22, 2020 at 23:43 -0700:
> 
> On 2020-02-22 7:02 p.m., Phillip Hallam-Baker wrote:
> > On Sat, Feb 22, 2020 at 8:08 PM John-Mark Gurney <jmg at funkthat.com 
> > <mailto:jmg at funkthat.com>> wrote:
> >
> >     Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23
> >     -0500:
> >     > Henry Baker wrote on 2/22/20 12:04 PM:
> >     >
> >     > >
> >     https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
> >     > ...
> >     > > We note Let's Encrypt issues free HTTPS certificates that
> >     expire after
> >     > > 90 days, and provides tools to automate renewals, so those will be
> >     > > just fine â?????? and they are used all over the web now.
> >     >
> >     > Yes, the auto-renewal works beautifully and eliminates a world of
> >     > headaches.  I suspect that Apple's move will accelerate the
> >     adoption of
> >     > Let's Encrypt, now that everyone will have to renew more often.
> >
> >     Or at least force other CA's to adaopt the ACME api to issue certs.
> >
> >     Overall, it's a good thing, and IMO, even 90 days is a bit long.  With
> >     automated renewal, 7-30 days is more than long enough.
> >
> >
> > With automated renewal, limit validity to 7 days and renew daily. No 
> > need for OCSP or CRLs.
> Correct me if I'm wrong, but my ACME api can't automate the auto-renewal 
> for my email server if it doesn't have a web port open, or my HP ILO 

That's when you use DNS TXT records.  No need to open a web port for the
challenge.

> servers for the management port, or the VPN servers with other styles of 
> lockdowns, .... other forms of automation are thus required, at various 
> levels of complexity.

Automating the uploading of a cert to an ILOM or something else that
isn't designed for automation is a problem, but hopefully this change
will help make those vendors make it possible.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the cryptography mailing list