[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Michael Kjörling]

On 18 Apr 2025 08:18 -0700, from andrew at joseon.com (Andrew Lee):
> I disagree with this. The browser doesn’t tell me if someone rotated
> some certs or something. It only tells me if it’s invalid/not issued
> by one of the infinite CAs.
> 
>> The point is not so much control of the domain name per se, as it
>> is providing attestation of continuity of content between an access
>> over a sketchy internet connection vs one that occurred over a
>> (presumably) less sketchy internet connection. It's easy for me to
>> MITM someone at an airport looking for free wifi. It's a lot harder
>> for me to MITM letsencrypt, and *that* is what matters, not the
>> security of DNS per se.
> 
> The point is you don’t have to MITM lets encrypt. There’s a zillion
> other money focused CAs you can compromise that aren’t as amazing as
> lets encrypt.

Still, the entity in control of DNS for the hostname in question can
put critical-flag-set CAA records in DNS. (At least Let's Encrypt lets
you narrow this down not just to Let's Encrypt, but also to a specific
Let's Encrypt _account_.)

Then your claim is reduced to: the attacker has to compromise one of
the CAs which are widely trusted (of which I agree that there are
many) and which _simultaneously_ does not properly validate and/or
enforce restrictions set out in critical CAA RRs in authoritative DNS.

I certainly won't say that doing so is impossible. But it definitely
does _significantly_ reduce the threat surface or alternatively raise
the bar of the attack; and given that CAA RRs were first described in
RFC 6844 published 2013-01 it's kind of difficult these days for a
legit CA to say "oops, sorry, we didn't know about those" and not look
like they are _asking_ to have the trust in them revoked.

-- 
Michael Kjörling
🔗 https://michael.kjorling.se