[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Christian de Larrinaga]

Bill Stewart <billstewart at pobox.com> writes:

> On 4/18/2025 6:18 AM, Howard Chu wrote:
>> Most of the CA nonsense is because the commercial CA model was broken from the start. The original
>> X.500 model assumed one authoritative CA per country. In the IETF context, only domain registrars
>> should ever have been root level CAs, and they should only ever have issued intermediate CA certs
>> to the domains under their authority. Domain owners should have been responsible for issuing their
>> own certs for entities in their own domain.
>
> Unfortunately, between just the timing of when each piece got invented
> and the US Government's 1970s-90s War On Crypto rounds,
> we missed the opportunity to have certificates based on DNSSEC,
> where the signature process would be part of the domain name purchase,
> so anything that got done was inherently going to be a bandaid.
>
> A minor consolation is that one of Mozilla's initial CAs was a small
> South African company, which made enough money for the owner to fund
> Ubuntu development, so we get something positive out of the deal.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography


The current confusion between encrypting paths end to end and trying to
retro fit identity, authentication and other "authority" via insecure
DNS is a mind f* and tying us into knots of dependencies with DNS of
gordium knot proportions.

What I really want - really really really want is e2ee to secure paths
(IP to IP or even MAC to MAC) then let the "market/regulators" secure
dips into registries to authenticate whois who and has rights to what at
those end points as needed.



-- 
Christian de Larrinaga