Article <wwv4iytaimx.fsf@LkoBDZeT.terraraq.uk>

Deutsch English Français Italiano
<wwv4iytaimx.fsf@LkoBDZeT.terraraq.uk>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!news.tomockey.net!3.eu.feeder.erje.net!feeder.erje.net!proxad.net!feeder1-2.proxad.net!usenet-fr.net!news.gegeweb.eu!gegeweb.org!nntp.terraraq.uk!.POSTED.tunnel.sfere.anjou.terraraq.org.uk!not-for-mail
From: Richard Kettlewell <invalid@invalid.invalid>
Newsgroups: comp.misc
Subject: Re: Website Certs Will Soon Last Only 47 Days
Date: Sat, 12 Apr 2025 09:28:22 +0100
Organization: terraraq NNTP server
Message-ID: <wwv4iytaimx.fsf@LkoBDZeT.terraraq.uk>
References: <vtc5an$2oj80$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: innmantic.terraraq.uk; posting-host="tunnel.sfere.anjou.terraraq.org.uk:172.17.207.6";
	logging-data="158201"; mail-complaints-to="usenet@innmantic.terraraq.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cancel-Lock: sha1:MHaSNa7b3XoktToK1ZpAFpFZSS0=
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^
     F<\{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga"ha
     +r0NzP?vnz:e/knOY)PI-
X-Boydie: NO
Bytes: 2735
Lines: 31

Lawrence D'Oliveiro <ldo@nz.invalid> writes:
> The CA/Browser Forum (a group that includes those entities that issue
> you with attested SSL/TLS certificates) has voted to severely shorten
> the valid duration of its certificates from one year to just 47 days
> <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

More concrete details at https://github.com/cabforum/servercert/pull/553.

> Some see this as a revenue grab. Yes, it may be, but there are also
> good security reasons for doing so.

The “revenue grab” theory is rather dubious. The proposal is from a
device vendor, not a CA; they will make no money from it at all.

If your CA charges by the renewal _and_ doesn’t adjust prices to reflect
the shorter lifetime of individual certificates, then yes, it’ll get a
lot more expensive; an example of shrinkflation. That’d be time to
migrate to a CA with a more reasonable pricing model.

> The revenue-grab reason may backfire. For most purposes, a free cert
> service like Let’s Encrypt is quite sufficient, and it’s easy enough
> to set your system to run a cron task (or systemd timer) to
> auto-renew. This already happens by default on a Debian installation,
> for example.

Right, the organizations who will have a real problem are those still
renewing certificates manually. They have a choice between spending a
bit more on their own staffing, or automating renewal (probably cutting
their overall costs in the long run).

-- 
https://www.greenend.org.uk/rjk/