[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
David Conrad
drc at virtualized.org
Wed Apr 16 15:33:08 EDT 2025
On Apr 16, 2025, at 2:54 AM, iang via cryptography <cryptography at metzdowd.com> wrote:
> The issue was that the revocation 'solution' was patchy at best and
> fraudulent at worst. Because of 'procedures' it theoretically protected
> the CA from liability once those procedures were undertaken (or should
> have been undertaken), and 'protected' you because you were forced to
> check for revocation through some cumbersome mechansim that nobody
> really cared for.
>
> So now that they've given up on making it work, they do need something
> to cover for the fact that it was a rort from beginning to end, and the
> obvious technical security thing - having long lifed certs - can't be
> done because revenue.
Without commenting on business models, I thought the browser vendors had decided to reinvigorated revocation with CRLite (i.e., https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf), e.g., https://github.com/mozilla/crlite?
Regards,
-drc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250416/c1bd3313/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 322 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250416/c1bd3313/attachment.sig>
More information about the cryptography
mailing list