[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Stephen Farrell
stephen.farrell at cs.tcd.ie
Thu Apr 17 07:41:56 EDT 2025
Hiya,
On 17/04/2025 02:50, Peter Gutmann wrote:
> The argument for doing this is that it limits the time available to an
> attacker for key compromise.
Is that correct for LE? IIUC their (good) argument for 90
days is to force automation of renewal, and failing to
renew/expiry was a much more frequent problem before LE
started doing 90 day certs in 2015.
It's very unclear to me that moving from 90 to 47 days
would improve anything though, so I'm not sure what the
logic there is.
I also thought certbot at least rotates the EE keys each
time as well. Don't think acme.sh does though.
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250417/99db26c7/attachment.sig>
More information about the cryptography
mailing list