Sujet : Re: 6-day TLS certificates from Let's Encrypt
De : theom+news (at) *nospam* chiark.greenend.org.uk (Theo)
Groupes : comp.miscDate : 13. Dec 2024, 19:22:25
Autres entêtes
Organisation : University of Cambridge, England
Message-ID : <14s*y7X1z@news.chiark.greenend.org.uk>
References : 1 2 3
User-Agent : tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-28-amd64 (x86_64))
Rich <
rich@example.invalid> wrote:
D <noreply@mixmin.net> wrote:
On Wed, 11 Dec 2024 20:27:37 -0300, Salvador Mirzo <smirzo@example.com> wrote:
Let's Encrypt is planning a 6-day TLS certificate for next year.
Our longstanding offering won't fundamentally change next year, but we
are going to introduce a new offering that's a big shift from anything
we've done before - short-lived certificates. Specifically,
certificates with a lifetime of six days. This is a big upgrade for
the security of the TLS ecosystem because it minimizes exposure time
during a key compromise event.
Source:
https://letsencrypt.org/2024/12/11/eoy-letter-2024/
seems like everyone is using tls . . . is there anyone "not" using it?
Given Chrome's "insecure" branding in the URL bar from the "make
everything https" push some years back, there are far fewer who are not
using it.
But six day expiry dates, that just sounds insane.
It sounds quite handy to me. One of the problems with Let's Encrypt is that
you set up your server, you get a LE certificate, you set up a cron job for
renewal. And then 90 days later you find out that your cron job didn't work
for $reasons and the cert expired. Making this timeout 6 days means that
you find this bug much quicker - if it's still working after a couple of
weeks then things are good.
I might not want to use them in production unless I had a specific concern
over revocation, but being able to use a 6 day cert for the initial
bringup and then move to a 90 day cert once things are stable could be
handy.
Theo
6-day TLS certificates from Let's Encrypt
Re: 6-day TLS certificates from Let's Encrypt