Apple wants TLS certs' maximum validity cut down to 45 days by 2027

[jobbautista9]

And just when I thought Let's Encrypt's validity length for its TLS certificates are insanely too short already...

https://www.theregister.com/2024/10/15/ ... _lifespan/

[moonbat]

Extortion racket if I ever saw one. First push HTTPS everywhere even for public websites that hold no private data or credentials, now keep forking out money to keep your site running.

[Moonchild]

One year re-issue is already a PITA. 45 days would completely negate any security it would have because of the necessity to fully automate certificate issuance.

[suzyne]

Whether it's 90 days or half that, isn't everybody using a Let's Encrypt batch file (or similar) that automates the process anyway?

[Basilisk-Dev]

Whether it's 90 days or half that, isn't everybody using a Let's Encrypt batch file (or similar) that automates the process anyway?

No. Many people still pay for certificates. If that were not the case the certificate authorities would go out of business, or at the very least they would stop selling certificates and transition to other products.

[Moonchild]

Whether it's 90 days or half that, isn't everybody using a Let's Encrypt batch file (or similar) that automates the process anyway?

Nope. check the cert on this site.

[athenian200]

Well, that's bad news. I honestly don't know if I'm diligent enough as a person to stay on top of having to update a certificate essentially once a month. That would require staying on top of things in a way I know I would struggle to do consistently, which is part of why I struggle to do things like find employment or anything like that...

I still want to continue Epyrus as a project, but I don't know if I can handle the burden of having an actual website anymore if it gets this involved. Still, they said this would be 2027, and hopefully nothing changes until that time. I'm worried they'll do it in stages, though... cutting it to 6 months unexpectedly, then 3 months, before finally hitting 45 days.

I feel like once a year isn't too bad, 6 months would be annoying but manageable... but if it started getting down to 3 months, it would be starting to hurt, and at 45 days it's at the point where I can't have a personal website anymore because it's too much of a burden.

[Basilisk-Dev]

Off-topic:
Who determines that the certificate authorities themselves are trustworthy? I've always been skeptical of this.

[Moonchild]

Off-topic:

Off-topic:
Who determines that the certificate authorities themselves are trustworthy? I've always been skeptical of this.

In general that would be the CA/B forum. Also, cross-signing of root and CA certs also happens where one trusted entity vouches for another to extend trust.
But some alternative peer-trust groups exist as well.
The premise is there that trust is built through peers, similar to the web of trust in pgp/gpg

[suzyne]

Nope. check the cert on this site.

45 days would be painful then!

Off-topic:
Looks at new avatar... very scary and fierce!

[Moonchild]

Off-topic:

Looks at new avatar... very scary and fierce!

'tis the season. Just like the Pale Moon website being more scary

[RealityRipple]

crls? ocsp? don't you love it when one of the biggest tech companies in the world says "the technology has failed us, do it by hand"?

[Moonchild]

crls? ocsp? don't you love it when one of the biggest tech companies in the world says "the technology has failed us, do it by hand"?

"do it by hand so we don't need to run the infra any longer for revocation protocols, while still charging ever-increasing amounts for certs".
Just another branch of corporate greed, probably.