[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

iang iang at iang.org
Wed Apr 16 05:54:07 EDT 2025 

On 16/04/2025 03:57, Peter Fairbrother wrote:
> "CA/Browser Forum – a central body of web browser makers, security
> certificate issuers, and friends – has voted to cut the maximum lifespan
> of new SSL/TLS certs to just 47 days by March 15, 2029."
>
> El Reg:
> https://www.theregister.com/2025/04/14/ssl_tls_certificates/?td=rt-3a
>
>
> Seems "they" have given up on certificate revocation. Is this a real
> security measure or just a boondoggle? Is there a better solution?


Revocation was always a created problem to solve a business need - what 
good are CAs for? "Well, we handle revocation, and that's something 
that's important, right? You need that..."

The issue was that the revocation 'solution' was patchy at best and 
fraudulent at worst. Because of 'procedures' it theoretically protected 
the CA from liability once those procedures were undertaken (or should 
have been undertaken), and 'protected' you because you were forced to 
check for revocation through some cumbersome mechansim that nobody 
really cared for.

So now that they've given up on making it work, they do need something 
to cover for the fact that it was a rort from beginning to end, and the 
obvious technical security thing - having long lifed certs - can't be 
done because revenue. So the alternate is tiny certs, which is a proven 
model for Let's Encrypt, and they ate our lunch so we need to compete.

Or something. Revocation was twister logic from the begining, and is now 
an olympic sport.

What allowed this to happen was the browser manufacturers who accepted 
the entire security package built by the CAs (or, one CA of which 
everyone recalls their name) without challenge, because the CAs knew 
this stuff and the browsers did not. Hence the arisal of a two-sided 
cartel between browser manufacturers and server manufacturers, which is 
stable in economic terms, and incredibly beneficial to someone who 
controls it. If we had a browser manufacturer with cojones then we might 
have seen some change, but we don't so we didn't.

iang

More information about the cryptography mailing list