[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
John Levine
johnl at iecc.com
Tue Apr 29 10:17:39 EDT 2025
It appears that Bill Stewart <billstewart at pobox.com> said:
>On 4/26/2025 5:48 AM, Peter Gutmann wrote:
>> Tom Mitchell <mitch at niftyegg.com> writes:
>>
>>> What if commerce and government sites needed a pair of certificates that
>>> expire out of phase with each other.
>>
>> That's actually not a bad idea, although it's going to make something that's
>> already way too complex and fragile even more complex and fragile. A simpler
>> fix, which could be adopted by browser vendors almost overnight, is to no
>> longer treat an expired cert as less secure than no cert at all.
>
>Obvious UI indicator would be to make the lock yellow instead of green
>or red, etc., or put something similar in the security notes.
Keeping in mind the extensive research that shows that users do not understand
those indicators and do not use them meaningfully, uh, OK.
Why do you think green bar certs went away? Partly it's because they got
competed down to meaningless, but more that they made no difference.
R's,
John
More information about the cryptography
mailing list