[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Peter Gutmann]

John Levine <johnl at iecc.com> writes:

>I don't understand this objection. I have LE certificates which LE resigns
>every 90 days. When it does that, the certificate's key doesn't change, only
>the time stamp.

The argument for doing this is that it limits the time available to an
attacker for key compromise.  If you're just re-signing the same key year in,
year out then it's defeating the very thing that the constant-churn is
supposedly good for.

Peter.