Sujet : Re: Website Certs Will Soon Last Only 47 Days
De : invalid (at) *nospam* invalid.invalid (Richard Kettlewell)
Groupes : comp.miscDate : 12. Apr 2025, 09:28:22
Autres entêtes
Organisation : terraraq NNTP server
Message-ID : <wwv4iytaimx.fsf@LkoBDZeT.terraraq.uk>
References : 1
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Lawrence D'Oliveiro <
ldo@nz.invalid> writes:
The CA/Browser Forum (a group that includes those entities that issue
you with attested SSL/TLS certificates) has voted to severely shorten
the valid duration of its certificates from one year to just 47 days
<https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.
More concrete details at
https://github.com/cabforum/servercert/pull/553.
Some see this as a revenue grab. Yes, it may be, but there are also
good security reasons for doing so.
The “revenue grab” theory is rather dubious. The proposal is from a
device vendor, not a CA; they will make no money from it at all.
If your CA charges by the renewal _and_ doesn’t adjust prices to reflect
the shorter lifetime of individual certificates, then yes, it’ll get a
lot more expensive; an example of shrinkflation. That’d be time to
migrate to a CA with a more reasonable pricing model.
The revenue-grab reason may backfire. For most purposes, a free cert
service like Let’s Encrypt is quite sufficient, and it’s easy enough
to set your system to run a cron task (or systemd timer) to
auto-renew. This already happens by default on a Debian installation,
for example.
Right, the organizations who will have a real problem are those still
renewing certificates manually. They have a choice between spending a
bit more on their own staffing, or automating renewal (probably cutting
their overall costs in the long run).
-- https://www.greenend.org.uk/rjk/
Website Certs Will Soon Last Only 47 Days
Re: Website Certs Will Soon Last Only 47 Days