[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Bill Stewart]

On 4/18/2025 6:18 AM, Howard Chu wrote:
> Most of the CA nonsense is because the commercial CA model was broken from the start. The original
> X.500 model assumed one authoritative CA per country. In the IETF context, only domain registrars
> should ever have been root level CAs, and they should only ever have issued intermediate CA certs
> to the domains under their authority. Domain owners should have been responsible for issuing their
> own certs for entities in their own domain.

Unfortunately, between just the timing of when each piece got invented 
and the US Government's 1970s-90s War On Crypto rounds,
we missed the opportunity to have certificates based on DNSSEC,
where the signature process would be part of the domain name purchase,
so anything that got done was inherently going to be a bandaid.

A minor consolation is that one of Mozilla's initial CAs was a small 
South African company, which made enough money for the owner to fund 
Ubuntu development, so we get something positive out of the deal.