[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Nico Williams
nico at cryptonector.com
Thu Apr 17 15:46:33 EDT 2025
On Thu, Apr 17, 2025 at 05:25:06PM +1000, Viktor Dukhovni wrote:
> On Thu, Apr 17, 2025 at 01:50:27AM +0000, Peter Gutmann wrote:
> > John Levine <johnl at iecc.com> writes:
> > >I don't understand this objection. I have LE certificates which LE resigns
> > >every 90 days. When it does that, the certificate's key doesn't change, only
> > >the time stamp.
> >
> > The argument for doing this is that it limits the time available to an
> > attacker for key compromise. If you're just re-signing the same key year in,
> > year out then it's defeating the very thing that the constant-churn is
> > supposedly good for.
>
> Is that really the argument? I rather think of it as shortening the
> window of opportunity *after* a key compromise. Of course if one is
> completely unaware of a one-time key compromise, then indeed frequent
> key rollover could also be helpful, on the assumption that the barn
> door is now closed (even though the compromise was not detected).
+1
IMO shorter certificate lifetimes are better. Revocation is ETOOHARD in
part because compromise detection is difficult, and in part because
dealing with huge CRLs is difficult, and browsers eschew OCSP for
performance reasons. Ironically shorter certificate lifetimes will
reduce the sizes of CRLs, making revocation more workable.
As to the concern that CAs might be DoSed out of existence, taking out
huge swaths of the Internet, the browsers could easily get an update
that adds N days to all notAfter dates to help recover. So I'm not
concerned.
Nico
--
More information about the cryptography
mailing list