Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Encryption Networking

CA/Browser Forum Votes for 47-Day Cert Durations By 2029 (computerworld.com) 114

Posted by EditorDavid from the short-certs dept.
"Members of the CA/Browser Forum have voted to slash cert lifespans from the current one year to 47 days," reports Computerworld, "placing an added burden on enterprise IT staff who must ensure they are updated." In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted [last week] to radically slash the lifespan of the certificates that verify the ownership of sites.

The approved changes, which passed overwhelmingly, will be phased in gradually through March 2029, when the certs will only last 47 days.

This controversial change has been debated extensively for more than a year. The group's argument is that this will improve web security in various ways, but some have argued that the group's members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration... Although the group voted overwhelmingly to approve the change, with zero "No" votes, not every member agreed with the decision; five members abstained...

In roughly one year, on March 15, 2026, the "maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The DCV reuse period reduces to 200 days," according to the passed ballot. The next year, on March 15, 2027, the "maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days." And on March 15, 2029, "maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days."
The changes "were primarily pushed by Apple," according to the article, partly to allow more effective reactions to possible changes in cryptography.

And Apple also wrote that the shift "reduces the risk of improper validation, the scope of improper validation perpetuation, and the opportunities for misissued certificates to negatively impact the ecosystem and its relying parties."

Thanks to Slashdot reader itwbennett for sharing the news.

CA/Browser Forum Votes for 47-Day Cert Durations By 2029 More | Reply

CA/Browser Forum Votes for 47-Day Cert Durations By 2029

Comments Filter:

  • internal system / backend certs don't need this.

    • Re: (Score:2)

      by bjoast ( 1310293 )
      They are not affected by this.

      • Re: (Score:2)

        by bjoast ( 1310293 )
        Clarification: Assuming you have your own CA.

  • may seem random, but it's probably meant as 1.5 months plus a day of wiggle room. I was hoping for 42 though.

  • will renew fees be the same = pay an lot more or be same for 1 year?

    • Re: (Score:1)

      by Anonymous Coward

      The renew fee will be the same. I mean, the same ammount you paid for 1 year you will now pay for 47 days, naturally. What did you expect?

      • Re: (Score:3)

        by vanyel ( 28049 )

        Letsencrypt will be the winner from this - free and automated.

        • Re: (Score:2)

          by micheas ( 231635 )

          Letsencrypt will be the winner from this - free and automated.

          I typically use zero SSL for important sites as letsencrypt has a rate limit that if you accidentally make a mistake and exceed can cause your certificates to not be renewed.

          For most management tools it is a two line change to move from letsencrypt to zerossl, (change the endpoint you are hitting and your key) and it was fairly cheap to not risk hitting the rate limit. But, there are lots of options for ACME compatible certificate signers beyond just Mozilla's Let's Encrypt.

        • Re:will renew fees be the same = pay an more or be (Score:4, Interesting)

          by markdavis ( 642305 ) on Saturday April 19, 2025 @11:09PM (#65318221)

          >"Letsencrypt will be the winner from this - free and automated."

          Except in my case, one of our major platforms is outsourced but is a subdomain of my domain. So it is IMPOSSIBLE to automate it. It is a private site, but is reachable publicly for remote access. And I can't load the certificate on their system, only they can, and doing so is difficult and causes downtime. So it means countless hours of my time wasted in renewals, payments, reimbursements, scheduling tickets, uploading files, and downtime. Plus the constant risk of something in that chain failing or being missed and taking down all our operations. Once a year was already a total pain in the a**. I am really pissed about this.

          • I assumed you already looked into it, but ACME has a way to use DNS validation with a totally unrelated domain. Just need to add an CNAME entry to the original domain to a domain you control. Then the DNS validation can update the domain you control while renewing the domain you don't control.

            • >"I assumed you already looked into it [ACME]"

              I haven't, but will. I have no idea if that can help in this odd situation in which I am stuck.

              To me, this radical shortening of certificate duration really does look like a bunch of "security theater" and full of potential conflicts of interest. My posting was to point out that, despite what appears to be the majority opinion, there are minority cases (of which I am one) where it will cause a lot of damage.

              It is easy for people to dismiss such cases as "yo

              • For the record, I agree with you on the security theater here. I have a hard time understanding their reasoning.

                On the actual technical "solution", I have yet to encounter a situation where this does not work if a) the registrar/dns provider supports API access and B) you can get a cname pointed to a domain you control in the zone you do not control.

                The way this works is that when doing the verification, you tell it to check a specific sub-domain. This subdomain is a cname that points to a domain you cont

              • Yes, review here: https://www.eff.org/deeplinks/... [eff.org], particularly the section Use a "Throwaway" Validation Domain.

                The parent domain can just set up the acme challenge CNAME for your subdomain and point it at some domain you do control.

          • Hi Mark, finally someone in the same boat I'm in... Subdomain fully under my control plus domain not under my control but accessible somewhat, in my case. Glad there seems to be something like a solution according to the other response. Let's hope that pans out. Happy Easter!

  • One word (Score:5, Insightful)

    by Anonymous Coward on Saturday April 19, 2025 @04:10PM (#65317649)

    One word: Automation.

    Posting as anonymous coward for obvious reasons - my current employment is PKI.

    This will drive automation to a new level. There is no way IT grunts will be manually renewing these certificates. ACME, or something spawned from that, will be the name of the game for trusted TLS certificates. I've worked for companies where changing the TLS certificate on their main public facing websites was a whole process wrapped up in change control. Those processes will also need to change as it doesn't make sense with all of the overhead the change control process can add, to do this every 30 days.

    And if you are using TLS trusted certificates for internal-only facing systems, these will switch to private issuance, which do not need to follow the CA/B forum rules. For private issuance, you can issue certificates with validity that is in the hundred of years. There is absolutely no reason why internal systems need to use trusted certificates, and this will basically end that practice.

    Many things already use private issuance certificates such as Intune - it would be insane to have your Intune infrastructure use Trusted TLS given the number of certificates are issued for Intune configured systems and authentication.

    As an aside, the CA/B forum has also made OCSP optional, which over time you'll see less and less of. I know of some CA operators who are privately cheering for OCSP to go away as its a high volume real-time service that if it breaks, can break a lot of things rather quickly (speaking from experience).

    • change control issues or java app injecting issues / downtime. Makes automation not work.

      What about places where that cert change is part of an month or more long change control process?

    • Re: (Score:2)

      by Nkwe ( 604125 )

      There is absolutely no reason why internal systems need to use trusted certificates, and this will basically end that practice.

      Being pedantic, but I assume you mean no reason for internal use of publicly trusted certificates. From a security point of view, it's a bad idea not to validate certificates on internal systems -- you need to validate them against your internal CA of course, but failure to validate would open you up to internal threats.

      • Re: (Score:2)

        by tepples ( 727027 )

        I assume you mean no reason for internal use of publicly trusted certificates.

        If you're streaming video from a server on a home LAN or an air-gapped network to a smart TV or a streaming stick, the server will probably need a publicly trusted certificate. I've been told major brands of streaming device have no way to let the user install a privately trusted certificate.

        • Re: (Score:2)

          by EvilSS ( 557649 )
          Why are you using a cert at all in this case at all? I do this today and none of the streams require public certs to work.

    • One word: Automation.

      Still needs testing and verification afterward. Now each instance will have ten chances to break each year instead of one.

      I've worked for companies where changing the TLS certificate on their main public facing websites was a whole process wrapped up in change control.

      Probably somebody broke it in the past. I've seen that happen too.

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        Still needs testing and verification afterward. Now each instance will have ten chances to break each year instead of one.

        Which is likely to be better - first, something that breaks once every couple of years will likely be put up with because it's not worth putting in the effort of fixing. Except now that tribal knowledge is having to be passed on because no one can be bothered to fix it.

        If it breaks every other time every few weeks, then there's much more incentive to fix it properly so it quits breaking

        • Once that knowledge gets put into scripts, if in a few months you discover the script overlooked something, you fix the script and make life simple.

          A lot of stuff is complicated enough it is simply better to do in person. Zero impact changes often require failover/failback of HA pairs. Appliances like ASAs or F5s may have dozens of different cert chains on the same device. Not everyone can just use certbot in a cron job.

          • Re: (Score:2)

            by jsonn ( 792303 )
            Changing a certificate on a service should not be complicated. There is absolutely no reason for it to be complicated. Stop making excuses for badly designed systems.

            • Re: (Score:2)

              by tepples ( 727027 )

              What's the uncomplicated way to change a certificate on a service on an air-gapped network, where you control the server and do not control the clients' certificate stores?

            • Changing a cert without dropping any client connections means servicing new requests and old requests differently, either statefully moving them from old to new or supporting them till they are timeout or closed. Certs are used not just for websites (not that you should boot people off those either) but also for things like SSL VPN connections where you can't just restart the service while people are working. If you have maintenance windows where you can tell people don't use the service at this time cau

              • Re: (Score:2)

                by jsonn ( 792303 )
                No, it doesn't mean anything like that. The certificate is only used during a very brief window of a connection, the initial handshake for computing a symmetric key. The software complexity is nothing more than a reader-writer lock and a pointer update (or something slightly more involved if you want to keep it lock-free). Same for VPNs. If your software or appliance can't do that, it is just badly designed.
                • You appear to know shit about high availability or enterprise grade computing. By all means you go ahead and script your cert changes and do your failovers remotely. Badly designed appliances are clearly the least of your worries.

                  • Re: (Score:2)

                    by jsonn ( 792303 )
                    I've written the code and administrated the systems over the last twenty years. I've heard the excuses, too. Have you? Let me blow your mind for moment. Protocols like Kerberos had support for renewing a ticket automatically without need for human intervention for 30 years. It's a solved problem. It's not even hard to automatically validate the replacement certificate in a way that is better than whatever human compliance tests will make you do, e.g. check the validation time, ensure that the same trust anc
                    • Right, you write code. That explains a lot.

                      Maybe just accept that your Enterprise VPN is shit if it tells you that a certificate rotation needs a restart or disconnecting running connections.

                      I just told you it doesn't, that is the whole point. It is also not just "push button to install new cert" done remotely from home office or running as a cron job. There can be a lot of moving pieces between the endpoints - reverse proxies, load balancers, application firewalls, etc. You may think it is a solved problem in code but in the real world actual thought and planning are still required. I also don't think changing security certificates should be tho

                    • Re: (Score:2)

                      by jsonn ( 792303 )
                      I never had to manually accept a certificate for WiFi. Guess I was holding it wrong. Oh wait, no. Those RADIUS servers had competent admins that served a certificate chain to a trust root. I guess it explains why you are retied when you still couldn't figure out automation of certificate rollover..
                    • They got a profile on your phone somehow, or you trusted it manually. That is how it works.

                      https://support.apple.com/en-c... [apple.com]

                    • I never had to manually accept a certificate for WiFi. Guess I was holding it wrong. Oh wait, no. Those RADIUS servers had competent admins that served a certificate chain to a trust root. I guess it explains why you are retied when you still couldn't figure out automation of certificate rollover..

                      Most of the popular wireless supplicants (windows, android..etc) are insecure by default and will accept literally any certificate. There is no relationship between the identity of the certificate and the network as there would be in a browser going to a given URL where the domain name entered is required to match the name on the cert.

                      Even if the system accepts only valid certs from a valid trust anchor the system is still completely insecure because anyone can attain such a certificate. The only practica

              • Re: (Score:2)

                by ls671 ( 1122017 )

                apachectl graceful will reload the new cert without dropping any connections. It might wait until there are no active connections although I'd have to double check.

                • nginx will run two instances for zero downtime updates, I'd assume it could do the same for certs. I don't do that on my home server cause I don't care, but my point was there may be many things between the client and the webserver that might just have their own considerations and that most people don't even think about.

          • Re: (Score:2)

            by micheas ( 231635 )

            Once that knowledge gets put into scripts, if in a few months you discover the script overlooked something, you fix the script and make life simple.

            A lot of stuff is complicated enough it is simply better to do in person. Zero impact changes often require failover/failback of HA pairs. Appliances like ASAs or F5s may have dozens of different cert chains on the same device. Not everyone can just use certbot in a cron job.

            F5s can be managed from the command line and can have their configs checked into code. F5 even offically supports ansible for managing it https://clouddocs.f5.com/produ... [f5.com]

            So, it certainly can be managed from a cron job.

        • Re: (Score:2)

          by micheas ( 231635 )

          Still needs testing and verification afterward. Now each instance will have ten chances to break each year instead of one.

          Which is likely to be better - first, something that breaks once every couple of years will likely be put up with because it's not worth putting in the effort of fixing. Except now that tribal knowledge is having to be passed on because no one can be bothered to fix it.

          If it breaks every other time every few weeks, then there's much more incentive to fix it properly so it quits breaking so often. And something that breaks every few months is more likely to be passed onto the next guy because it's more recent information than something that only happens once every couple of years.

          I've worked for companies where changing the TLS certificate on their main public facing websites was a whole process wrapped up in change control.

          Probably somebody broke it in the past. I've seen that happen too.

          It likely happened because it's a process that doesn't happen often, so all the tricks you learned this time around are forgotten the next time it happens. When a certificate expires yearly, someone has to remember what they did last year in order to renew it all. And likely things broke because they forgot some things.

          Once that knowledge gets put into scripts, if in a few months you discover the script overlooked something, you fix the script and make life simple. The script becomes the working memory and if something breaks, the script can be run through manually to ensure every piece is updated.

          Also, there's a chance if something breaks, it'll get caught all that much quicker - someone moves a file somewhere and it's forgotten about a year later. Here it's only a month and a half and chances are someone remembers "Oh, we moved that a month ago!".

          This ^

          And the more complicated the more you want things to be fully automated. Manual enterprise deploys have about an 80% fail rate while automated deploys have a far less than 1% fail rate.

          as for "you need to test your site after deploying a new certificate" If it is important enough to be paying someone to work on it, it should be monitored 24x7 anyways.

          The biggest problem with the automated certificates is that the tooling around them is so good you have people who set them up and are in charge of th

    • >"One word: Automation."

      Another three words: Not Possible Everywhere

      I have outsourced systems that use subdomains of my domain and I can't control those systems or install certs on them. And the system is needed 24/7. And it needs to be accessed from everywhere. And installing a certificate means major effort, tickets, additional scheduling, payments, support time, downtime, etc. Doing it annually was already too much.

    • Automation will create a new attack vector, with potentially even larger consequences. No more human reviews, just automation renewing certs. For smaller sites, they will just remove TLS (HTTPS) instead to avoid the headache, especially if browsers stop accepting any certs valid longer than 47 days. Such is the reality of life.

    • I'll bite: How do you automate this with java applications and jks ? (in a secure way)

  • 47 (Score:2)

    by nicubunu ( 242346 )

    Any insight why they picked 47 as the magic number? Why not 46 or 48? Or more likely a multiple of 7, to account for weeks?

    • Re: (Score:2)

      by Entrope ( 68843 )

      I would guess ceil(31 * 1.5), but that's pretty arbitrary and (to me) 31+2*7 would make just as much sense.

      • Re: (Score:2)

        by jsonn ( 792303 )
        Almost. The first assumption made is that it is recommended to update certificates after around 2/3 of their life time. The expected update cycle was 30 days, so 45 days of life time. 47 days is essentially a bit of wiggle room for various smaller delays that could pop up along the line like if you can only update a service once a day.

        • Re: (Score:2)

          by Entrope ( 68843 )

          The first assumption made is that it is recommended to update certificates after around 2/3 of their life time.

          Why is this recommendation made for monthly renewals but not 3- or 6-month renewals, which have 100- and 200-day expirations respectively? With a nominal 30-day month, those give only 10 or 20 days of margin respectively, a far cry from the 50% you posit. The three-month cycle gives fewer days of margin than the one-month cycle. It gives the impression of being rather arbitrary, not based on that kind of assumption or recommendation.

    • Any insight why they picked 47 as the magic number? Why not 46 or 48? Or more likely a multiple of 7, to account for weeks?

      I think for business purposes you'd want a multiple of 7 plus a few days extra, in case of unforeseen complications / emergencies - and 47 accomplishes that.

      There's no reason you couldn't renew every 42 days under this stricture. Or schedule it "on the first Tuesday of each month".

      Personally I see this as largely security theater, but trying to argue against it does seem like opposing the tides at this point...

  • sigh (Score:3)

    by luvirini ( 753157 ) on Saturday April 19, 2025 @04:49PM (#65317727)

    All the legacy systems will be so broken. currently some of them are already a pain to update yearly, with no reasonable way to automate.

    I guess there will be a need to put a reverse proxy with the automated certificate renewal in front of them.

  • How about no? (Score:5, Insightful)

    by sjames ( 1099 ) on Saturday April 19, 2025 @05:11PM (#65317761) Homepage Journal

    At the rate they're going, they'll need to invent new low latency networking and data processing technologies in order to renew the certs before the old one (issued 30 seconds ago) expires.

  • Yay (Score:5, Insightful)

    by peppepz ( 1311345 ) on Saturday April 19, 2025 @05:21PM (#65317777)
    Even more red tape and gatekeepers who get a say in who can communicate over the Internet and how hard it has to be. I remember when it was Microsoft who wanted to make internet protocols more complicated in order to get a competitive edge over the open source community; back then when their plans were exposed there was outrage. Nowadays Google and Apple basically are the internet, and they don't need to work in the shadows to subvert the protocols, because whatever it is that they decide for the day is automatically the "living standard".

  • Dentists also recommend cleanings every 47 days (Score:4, Insightful)

    by SubmergedInTech ( 7710960 ) on Saturday April 19, 2025 @05:31PM (#65317789)

    And please change your car's oil every 47 days.

    For the exact same reason.

    • I often see references to frequent oil changes. Question: Did the concept of better oil and better engines miss America entirely? Car manufacturers (at least in Europe) have never in history recommended oil changes as infrequently as they currently do. In many cases it's not even done as part of yearly inspections anymore.

  • Outcome: more problems, few benefits (Score:5, Interesting)

    by Arrogant-Bastard ( 141720 ) on Saturday April 19, 2025 @06:23PM (#65317863)
    1. Many organizations use change control (and most organizations should). Which means: changes to the production configuration require vetting via a process that's designed to try to stop broken changes from being deployed in a live environment. In other words, deployment is deliberately not automated because a human (or humans) are in the loop. This change represents a significant additional workload on those humans, and one of the ways that many humans respond to such an increase is to get annoyed by the extra work and start finding ways to shortcut the process. In other words, you can expect people to be very diligent when they only have to do something once a year, but every 45 days? Not so much.

    2. Other organizations will resort to automation, which will in turn make supply-chain attacks that leverage the automation much more attractive. I'll predict that within a year of this change going live we'll see just such an attack.

    3. This isn't going to significantly increase aggregate security, because -- for the most part -- certificates aren't the security problem. Bad software, e.g. WordPress, that's widely deployed and poorly maintained is a much bigger problems.

    4. The argument that this will stop some cryptographic exploits is weak, at best. The primary threats in that space are nations, and this change won't really affect them -- because they have far more resources than defenders, and they can readily deal with an 8X decrease in certificate duration by allocating 10X the computing power. (Which, since they're no doubt aware of this year-long debate, and since they know when this goes into effect, they have plenty of time to plan and execute.)
  • Because when an API has a choice between weak password authentication and stronger certificate authentication they're going to pick the password authentication when this shit gets crammed down their throats.

    And for anyone saying there's no reason for an API to invalidate its certificates every 47 days, as soon as the one-year limit hit every API I work with and there's several switched to that. So the 47-day one is next.

    • Re: (Score:2)

      by ls671 ( 1122017 )

      When an API can use weak passwords, it can also generate its own certificate independently from any web certificate authority like for example, openvpn with easyrsa which generates its own certificate independently so your point is really moot. For web certificates used for access for the public at large, there is no weak password option. Furthermore, for internal web sites, you will still be able to generate your own certificates internally and independently and have them last several years if you wish. Th

    • Re: (Score:2)

      by jsonn ( 792303 )
      Your post makes no sense. Please think again who is using what kind of certificate for which purpose...

  • DV CAs are redundant and dangerous (Score:4, Interesting)

    by WaffleMonster ( 969671 ) on Saturday April 19, 2025 @08:36PM (#65318041)

    The CA scheme for DV is needlessly dangerous and redundant and needs to end. Existing schemes like ACME are still based entirely upon insecure indications from insecure protocols.

    There is no reason for global overlapping trust anchors to exist in the first place. This only creates more avoidable avenues for global compromise with zero commensurate benefit.

    More importantly it is redundant for a third party to seek to independently establish domain ownership when this function should just be a function of the domain registrar which already has an existing relationship with the domain owner. There was never any reason for CAs to insert themselves into the process in the first place. It used to be in the early days the CAs would validate you as an organization but that quickly devolved into a lights out process involving placing files in folders and servers making insecure HTTP requests to retrieve those files.

    Neither do I accept the legitimacy of a handful of corporations voting for a change that has substantial global administrative impacts on countless millions of the worlds operators without any substantive outreach, study or consensus.

    Personally I will be working to advocate for expansive use of PAKEs as an alternative to global trust anchors. Most every website worth securing has some form of independent trust relationship with the user. The insecure and dangerous universal practice of authentication via adhoc web forms in plain text over TLS has lead to unnecessary and substantially avoidable mass ownage via phishing related exploits. The utilization of secure authentication based on zero knowledge proofs is far more secure than DV certificates.

    Most sites and internal applications should have never required PKI in the first place. This was always something that has been dominated by band-aids and inertia. A series of decisions that were rational at the time yet in totality have become untenable.

    Global trust anchors should only have ever been used sparingly as onramps for service discovery and onboarding. It was always foolish to aggregate so much responsibility into the hands of the few with global potentially catastrophic consequences. It is past time to end DV certs as we know them.

    • Re: (Score:3)

      by jsonn ( 792303 )
      ACME with a sane CA is about as strong as DV can get. If you implement DNSSEC and use the DNS-01 challenge type, you have a trust chain for the ACME challenge itself. I'm going to ignore the rest of the rant as pointless.

      • ACME with a sane CA is about as strong as DV can get.

        ACME is STILL based on INSECURE indications from INSECURE protocols. This isn't strength, it is a PATHETIC joke.

        If you implement DNSSEC and use the DNS-01 challenge type, you have a trust chain for the ACME challenge itself.

        If everyone had DNSSEC there would be no need for DV CAs and this would all be MOOT.

        I'm going to ignore the rest of the rant as pointless.

        If you have nothing to say keep your mouth shut.

  • Licensing servers (Score:3)

    by strUser_Name ( 7991504 ) on Sunday April 20, 2025 @04:38AM (#65318437)
    An even more centralized internet.. Somehow this feels more and more like web servers are just clients that required a central licensing server in order to operate. They cannot function on their own. They need to ping the mother server in a timely fasion, or else they time out. Something doesn't feel right about this. Feels like sacrificing freedom over security. Which is not bad by itself perse. It's a ballance, I guess. But where do you think this line should be drawn? Why not do 7 days?

    • Re: (Score:2)

      by DMJC ( 682799 )
      Ever since the internet was created the government and standards bodies have tried to kill it's openness and it's freedom. The two things that make the internet what it is.
  • .... 23.5% of the previous cost...? No? I thought not.

  • Does this solve a real problem? That old certificates are "cracked"?

  • As the CA/Browser forum said in their response to this, they feel automation is the key. Protocols like ACME do exist, but really only exist for web servers.

    People forget that it's more than websites that exist on the internet that use PKI infrastructure. Your printer sitting on your desk -- that's got embedded certs. Have a phone? Yup, that has certs loaded into it as well to do encrypted phone calls. LDAP servers, directory servers, mail servers, API servers, game servers, etc. Hell, that IoT lightbu

    • Re: (Score:2)

      by gr8dude ( 832945 )

      > Protocols like ACME do exist, but really only exist for web servers.

      That's not so, an example I mentioned in another thread is the Certificate Management Protocol (CMP, RFC 4210 and its follow-up RFC 4210bis), it is versatile and applicable in context other than web-servers. There are open source CMP client implementations, even OpenSSL 3.x has one - so it is easy to start prototyping and automating your workflow by wrapping `openssl cmp` into scripts.

      Start with https://docs.openssl.org/maste... [openssl.org]

  • Break everything every few months. You must upgrade today today, right away, today.

  • Instead of a chance to break once per year, now your certificate process can break every 47 days, or even more often.

    For a lot of services, even most services, this is overkill. How about letting each service decide?

  • Great (Score:2)

    by DMJC ( 682799 )
    This is so stupid, everyone is going to have to go buy new phones and video conference systems again. Most IP Phones are not designed to rotate SSL Certificates every 50 days.

  • I get the feeling this is driven by the Certificate Authority industry rather than any real need. Their biggest concerns are for compromises in the issuing process, where the wrong parties get issued a certificate they shouldn't have. There's a revocation protocol already defined, but the CAs would rather make certificates expire faster than support revocation lists. This incidentally makes them more money issuing new certificates. Maybe we should push for better support of OCSP so compromised certificates

  • People keep assuming that there must be some kind of profit-driven fuckery to explain this lunacy. It has to be something other than the bullshit facade they're trying to sell. Perhaps they simply cannot say what the real reason is.

    I think the real message cannot be said out loud. It's likely that there's no better way to insert/remove a multi-keyed signing cert (for 3rd party snooping) into the chain without the renewals being fully automated. The meddlesome admins that maintain these systems would sta

Slashdot Top Deals

"I may kid around about drugs, but really, I take them seriously." - Doctor Graper

Close