[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Andrew Lee]

On Apr 23, 2025, at 1:50 PM, Jon Callas <jon at callas.org> wrote:
> 
> I still think that from our cryptographic viewpoint, there's still the issue that this is comparing one PKI vs another, and there's a whole lot of complication there, particularly when we think about what we could add on to safeguard against an adversary who is an owner of a TLD. What's the analogue of CAA, at least in part? CAA props up weaknesses in the WebPKI via DNS (SEC or not), what would be an analogue?

An analogue to this is decentralizing trust on blockchain (the current best solution to ____ centralization). Handshake, for example, does this and in fact strengthens WebPKI and removes those weaknesses since you now no longer would need to trust a CAbaler and instead only need to trust proof of work consensus blockchain (and that your actual peer and its keys are not compromised altogether of course).

Unfortunately, the few legitimate (real problem solving) projects within that space were drowned out by the ‘wen lambo’ crowd/vaporwares and since has probably diverged too far from ICANN’s ledger for mainstream adoption. T_T

I get the need for the CA back in yesteryear, but in 2025 having a third party single authoritative “validator" into a cryptographic peer to peer communication is wild.

I mean let’s be real, even the Web of Trust GPG you could put your keys in multiple places so there was more then single validation/authentication and of course multiple people can sign.

It would be legendary if ICANN and the CAbal could come together and do this for the world be it blockchain or multi trust at the least for security reasons.

If only we could go back in time and the first blockchain use case wasn’t digital money, things would be so much different.

Money seems to mess up a lot of stuff apparently.

- Andrew