[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Christian Huitema
huitema at huitema.net
Fri Apr 18 22:48:21 EDT 2025
On 4/18/2025 4:28 PM, Jerry Leichter wrote:
...
> Now consider, thinking in these terms, what short-lived certificates do. On the one hand, yes, they protect against stolen certificates. They might seem to protect against certificates that were incorrectly (by chance or by attack) granted - but realistically since all this stuff is automated anyway, if I can get a CA to improperly grant me a certificate for a site, they'll probably keep renewing it for me - they are not going to keep re-checking even if they did some actual checking the first time around. And there are two other factors to consider: Every renewal is an opportunity for something to go wrong, or for someone to mount an attack. At the same time, they prevent me from using a simple defense: Certificate continuity. If I make repeated connections to foo.com, as long as they present the same cert each time, I can at least be sure that it's the same foo.com as the last time.
Wasn't HPKP an effort to implement the "certificate continuity" that you
describe? It did not succeed. HPKP was tying domain and key, and the
high level summary is that this was too rigid. Some domains have many
keys for various operational reasons, some domains want to change their
keys, some domains lose control of their key. If the clients are trained
to expect key continuity, the new key could only be accepted after the
HPKP information expired. That proved not acceptable in practice.
Maybe the design of HPKP was flawed. Certificates tie domain,
certificate authority, key and date. One could imagine a different HPKP
that tied domain and certificate authority, which would limit the attack
surface but would probably introduce its own set of issue. One could
imagine having the new keys certified by the previous keys, but that
would not be too good if the previous key was stolen. Someone smarter
than me might come up with a design that solve all these issues...
-- Christian huitema
More information about the cryptography
mailing list