[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Apr 26 08:48:57 EDT 2025
Tom Mitchell <mitch at niftyegg.com> writes:
>What if commerce and government sites needed a pair of certificates that
>expire out of phase with each other.
That's actually not a bad idea, although it's going to make something that's
already way too complex and fragile even more complex and fragile. A simpler
fix, which could be adopted by browser vendors almost overnight, is to no
longer treat an expired cert as less secure than no cert at all. Just as an
elevator safety cert that's expired on 31 February doesn't mean the first
person to use the elevator on 1 March will plunge to their death, so an
expired site cert doesn't mean leopards will eat your face when you visit the
site it's for, merely that someone or something forgot/failed to renew the
cert on time.
Peter.
More information about the cryptography
mailing list