[Cryptography] Apple's 13-month certificate policy
John-Mark Gurney
jmg at funkthat.com
Sun Feb 23 02:04:30 EST 2020
Raymond Burkholder wrote this message on Sat, Feb 22, 2020 at 23:43 -0700:
>
> On 2020-02-22 7:02 p.m., Phillip Hallam-Baker wrote:
> > On Sat, Feb 22, 2020 at 8:08 PM John-Mark Gurney <jmg at funkthat.com
> > <mailto:jmg at funkthat.com>> wrote:
> >
> > Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23
> > -0500:
> > > Henry Baker wrote on 2/22/20 12:04 PM:
> > >
> > > >
> > https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
> > > ...
> > > > We note Let's Encrypt issues free HTTPS certificates that
> > expire after
> > > > 90 days, and provides tools to automate renewals, so those will be
> > > > just fine â?????? and they are used all over the web now.
> > >
> > > Yes, the auto-renewal works beautifully and eliminates a world of
> > > headaches. I suspect that Apple's move will accelerate the
> > adoption of
> > > Let's Encrypt, now that everyone will have to renew more often.
> >
> > Or at least force other CA's to adaopt the ACME api to issue certs.
> >
> > Overall, it's a good thing, and IMO, even 90 days is a bit long. With
> > automated renewal, 7-30 days is more than long enough.
> >
> >
> > With automated renewal, limit validity to 7 days and renew daily. No
> > need for OCSP or CRLs.
> Correct me if I'm wrong, but my ACME api can't automate the auto-renewal
> for my email server if it doesn't have a web port open, or my HP ILO
That's when you use DNS TXT records. No need to open a web port for the
challenge.
> servers for the management port, or the VPN servers with other styles of
> lockdowns, .... other forms of automation are thus required, at various
> levels of complexity.
Automating the uploading of a cert to an ILOM or something else that
isn't designed for automation is a problem, but hopefully this change
will help make those vendors make it possible.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list