Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Lawrence D'Oliveiro <ldo@nz.invalid>
Newsgroups: comp.misc
Subject: Re: Website Certs Will Soon Last Only 47 Days
Date: Mon, 14 Apr 2025 22:28:44 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 18
Message-ID: <vtk26r$295ku$1@dont-email.me>
References: <vtc5an$2oj80$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 15 Apr 2025 00:28:44 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="84fb5bea06fc98d4d0df182c3d5aedf4";
	logging-data="2397854"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+ejmT1FJspXALMHAN0Js2H"
User-Agent: Pan/0.162 (Pokrosvk)
Cancel-Lock: sha1:/LsNk5yPK2FiF2+Bcvhcu6NyE64=
Bytes: 1874

On Fri, 11 Apr 2025 22:32:56 -0000 (UTC), I wrote:

> For most purposes, a free cert service like Let’s Encrypt is quite
> sufficient ...

Speaking of which, Let’s Encrypt are going to offer the option to shorten 
their certificate lifetimes, from the former 90 days down to as little as 
6 days <https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/>.

Since theirs is a free service, their motives are entirely to do with 
security. Why is such a short interval a good idea? Because it shortens 
the exposure window, should a certificate key become compromised.

There is a mechanism called “certificate revocation”, but it tends to be 
cumbersome and troublesome. With such a short certificate lifetime, there 
will be less need for such a thing: if you suffer a certificate security 
breach, just immediately get a new certificate with a new key, and be 
extra-vigilant during the few days until the old one expires.