[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Peter Fairbrother]

On 16/04/2025 21:26, Ron Garret wrote:
> 
>> On Apr 16, 2025, at 11:55 AM, Andrew Lee <andrew at joseon.com> wrote:
>>
>> Because it’s literally not any less secure than getting a signed cert from a signer who signs for anybody all the time (eg all of them).
>>
>> As an example - let’s encrypt will issue to anybody who can prove control of a domain
> 
> You have contradicted yourself in the span of two sentences.  Proving control of a domain is not very secure, but it's not nothing either.  It does prevent some level of deterrence to MITM attacks, which would otherwise be utterly trivial.  And this deterrent, weak as it may be, is manifestly adequate because the web is not falling apart in the face of rampant MITM attacks.

Actually, if you control a domain name, you can most probably 
see/control traffic to/from it anyway. So no MITM needed.

 From the user POV, if the cert is issued to domain.com, I'm talking to 
those who control domain.com. And (hopefully!) it's DNS lookups. Doesn't 
mean they *are* domain.com, just that they control the use of the name.



If the domain in question is paypal.com or barclaysbank.com, Paypal and 
Barclays should make damn sure that the real Paypal and Barclays bank 
control those names.

Else they are (mostly) liable for fraud, in the UK at least - the 
consumer doesn't set the anti-fraud and security standards, the 
financial institution does. So it is responsible for failures of them.

Hmmm I wonder why financial institutions don't weigh in on the matter of 
the subject? Liability again, I suppose. Are the Financial Institutions 
more powerful/influential than the "CA/Browser Forum"?

Peter Fairbrother