
Today's big news: One year max public TLS certs are coming, starting 1 Sept 2020 - X-Istence
https://twitter.com/chosensecurity/status/1230253348236013570
======
ecmascript
What does this mean, exactly?

What will this mean for existing certs that are valid for longer? Will they
marked as untrusted? Why is one year certs more secure?

~~~
X-Istence
Current certs are limited to 2 years max already, so this reduces it to 1
year.

For certs that were issued before September 1st, 2020 nothing will change,
they will continue be valid for 2 years. So if you get a certificate on August
31st, 2020 that is valid for 2 years, it will be valid till August 30th, 2022.

However certificates created after September 1st, 2020 that are issued for 2
years will no longer be accepted by Safari (and thus it will throw a TLS
warning when a user visits the page)

> Why is one year certs more secure?

The issue with long lived certificates is that if the certificate + private
key is stolen, then it can be abused for the duration of the certificate
lifetime.

Revocation is currently not very feasible because of the high cost for turning
on CRL/OCSP checking on every request, and even with OCSP stapling (which is
not currently enforced because of potential for sites to go down because the
staple is missing or outdated and the certificate authors OCSP servers are not
returning new answers).

Here's a good article that explains some of the issues with revocation:
[https://arstechnica.com/information-
technology/2017/07/https...](https://arstechnica.com/information-
technology/2017/07/https-certificate-revocation-is-broken-and-its-time-for-
some-new-tools/)

Last edit:

Shorter certificates are better for security overall, as there is less time
for an attacker to potentially abuse a certificate.

