[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Viktor Dukhovni
cryptography at dukhovni.org
Tue Apr 15 23:09:49 EDT 2025
On Wed, Apr 16, 2025 at 12:57:30AM +0100, Peter Fairbrother wrote:
> "CA/Browser Forum – a central body of web browser makers, security
> certificate issuers, and friends – has voted to cut the maximum lifespan of
> new SSL/TLS certs to just 47 days by March 15, 2029."
>
> El Reg:
> https://www.theregister.com/2025/04/14/ssl_tls_certificates/?td=rt-3a
>
> Seems "they" have given up on certificate revocation. Is this a real
> security measure or just a boondoggle? Is there a better solution?
I've always viewed revocation as largely ineffective security theatre,
so it won't be missed (by me). Shorter lifetimes are a step forward.
Sadly, the ecosystem is not yet sufficiently conducive to much broader
adoption of DNSSEC, which would make it possible to use DANE to specify
which keys or certs are presently valid for a peer, obviating the need
for "revocation" as the solution to key compromise.
--
Viktor.
More information about the cryptography
mailing list