[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Bill Stewart
billstewart at pobox.com
Mon Apr 28 15:24:23 EDT 2025
On 4/26/2025 5:48 AM, Peter Gutmann wrote:
> Tom Mitchell <mitch at niftyegg.com> writes:
>
>> What if commerce and government sites needed a pair of certificates that
>> expire out of phase with each other.
>
> That's actually not a bad idea, although it's going to make something that's
> already way too complex and fragile even more complex and fragile. A simpler
> fix, which could be adopted by browser vendors almost overnight, is to no
> longer treat an expired cert as less secure than no cert at all.
Obvious UI indicator would be to make the lock yellow instead of green
or red, etc., or put something similar in the security notes.
More information about the cryptography
mailing list