|
@__agwa | |||||
|
Exactly five years ago, I made this Git commit to discontinue multi-year certificates at @SSLMate. Today the CA/Browser Forum finished voting on a ballot to limit all publicly-trusted certificates to 1 year. (1/7) pic.twitter.com/oTyWwGqbJ3
|
||||||
|
||||||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
Although the ballot failed (cabforum.org/pipermail/serv…), it had unanimous browser support, and I anticipate that browsers will limit certificates to 1 year anyways. (2/7)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
1 year certs are good for regular Web users, because certificates issued with weak cryptography or weak validation practices are cycled out faster. Security improvements, like Certificate Transparency, can be rolled out more quickly. (3/7)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
1 year certs are good for site operators because certificate renewal is a more regular event rather than something that they have to scramble to remember how to do at the last minute. (Full automation is even better, but not always feasible yet. 1 year is a happy medium.) (4/7)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
1 year certs are more honest, because serious security incidents mean a long-lived cert might not remain valid for its entire term. Every 5 year cert issued through @SSLMate before Sep 2014 had to be replaced twice: for the SHA-1 deprecation, and for the Symantec distrust. (5/7)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
1 year certs are better for @SSLMate, since they allow us to iterate more quickly without having to deal with legacy baggage. I deleted 20k lines of code in April. I couldn't have deleted all that code if the system still had to manage certificates issued in 2014. (6/7)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
I can't wait to see certificates limited to 1 year everywhere, and I'm proud I was ahead of the curve on this. sslmate.com/blog/post/one_… (7/7)
|
||
|
|
||
|
Janno Schouwenburg
@schouwenburg
|
10. ruj |
|
Still an industry failure to not get revoking implemented right
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
10. ruj |
|
The move to 1 year certs doesn't have much to do with revocation.
|
||
|
|
||
|
lamby
@lolamby
|
10. ruj |
|
Somewhat off-topic but... what on earth is that typeface?! :)
|
||
|
|
||
|
AndrewLighten
@AndrewLighten
|
10. ruj |
|
Looks like the classic Sun typeface.
|
||
|
|
||