[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Howard Chu
hyc at symas.com
Fri Apr 18 09:18:18 EDT 2025
Peter Fairbrother wrote:
> "CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs
> to just 47 days by March 15, 2029."
>
> El Reg: https://www.theregister.com/2025/04/14/ssl_tls_certificates/?td=rt-3a
>
>
> Seems "they" have given up on certificate revocation. Is this a real security measure or just a boondoggle? Is there a better solution?
I think there's some merit to it, in a different context. Funny thing, back in 2000, Symas'
Connexitor used auto-generated short-lived TLS certs too. We treated them much like Kerberos tickets.
But in that case we had long-lived certs too, and the short-lived certs used a new key each time.
Worked well for securing intra-app comms and temporarily delegating privs to software agents.
Most of the CA nonsense is because the commercial CA model was broken from the start. The original
X.500 model assumed one authoritative CA per country. In the IETF context, only domain registrars
should ever have been root level CAs, and they should only ever have issued intermediate CA certs
to the domains under their authority. Domain owners should have been responsible for issuing their
own certs for entities in their own domain.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the cryptography
mailing list