[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

Andrew Lee andrew at joseon.com
Wed Apr 16 14:55:59 EDT 2025 

The whole CA/Browser Forum is a racket of sorts. I have “purchased” countless certificates - for the same entity - from different sources in the past for web and also application signing (windows requires it or calls your software malware). These companies don’t actually verify anything about you — just a “DNB” number. It’s basically complete theater bs so they can take 1k from every app developer every year. Any issuer can issue certs for anybody. Crap companies could compromise a bunch of people for a quick cash grab and be out. 

Even if it doesn’t come to this although it already has countless times it’s yet another tax and to a non government entity no doubt.

It’s high time we revisit all this. Obviously blockchain solutions work as it relates to making DANE usable and not a backdoor (eg handshake) but there’s probably an easier solution - self signed certificates. 

Why?

Because it’s literally not any less secure than getting a signed cert from a signer who signs for anybody all the time (eg all of them). 

As an example - let’s encrypt will issue to anybody who can prove control of a domain — and boy am I thankful for let’s encrypt. 

But let’s be real here — this is not secure authentication.

So the real value here is simply no warning on your browser.  In other words - no value other than artificially created value by the ssl/browser cabal. Encryption is of course great but you get that self signed or not. 

Luckily the cabal is made of a bunch of older folks who are aging out and the inheritors of that empire have not a clue how to defend the moat. 

Times will change.

Crypto has let us do things person to person - and that’s not what the ssl ca forum is about — having the man in the middle (the ssl ca forum) is a literal joke.

I trust blockchain (consensus) over everything but I trust the app dev / web dev over the ca/ssl forum.

(And yes I get that some people consider it almost like a 2fa but it’s not because for web ssl all you need is dns it’s not actually 2fa and for the application cert you just need to prove address and name and such and now you “seem” more official and for signing apps they send a usb key which you could easily intercept since it’s not like delivery drivers are trained to authenticate identity (anyone can sign for receipt for most packages as you all know) all of which bad actors love to take advantage thereof all the time) 

- Andrew

More information about the cryptography mailing list