[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Jerry Leichter
leichter at lrw.com
Wed Apr 16 19:56:39 EDT 2025
> "CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029."
>
> El Reg: https://www.theregister.com/2025/04/14/ssl_tls_certificates/?td=rt-3a
>
>
> Seems "they" have given up on certificate revocation. Is this a real security measure or just a boondoggle? Is there a better solution?
One question to ask here is: Under what conditions will a certificate issuer refuse to renew an issued cert? Without some assurance that "bad" certs - however defined - won't simply be re-issued, this provides absolutely no additional security.
Given how little actual checking of applicants is typically done the first time certs are issued - do you really think anyone is going to be even as minimally careful every 47 days? Imagine how much extra the issuers will be able to charge for _claiming_ high-security checks at each re-issuance!
-- Jerry
More information about the cryptography
mailing list