2 comments

[ 4.5 ms ] story [ 16.8 ms ] thread
What does this mean, exactly?

What will this mean for existing certs that are valid for longer? Will they marked as untrusted? Why is one year certs more secure?

Current certs are limited to 2 years max already, so this reduces it to 1 year.

For certs that were issued before September 1st, 2020 nothing will change, they will continue be valid for 2 years. So if you get a certificate on August 31st, 2020 that is valid for 2 years, it will be valid till August 30th, 2022.

However certificates created after September 1st, 2020 that are issued for 2 years will no longer be accepted by Safari (and thus it will throw a TLS warning when a user visits the page)

> Why is one year certs more secure?

The issue with long lived certificates is that if the certificate + private key is stolen, then it can be abused for the duration of the certificate lifetime.

Revocation is currently not very feasible because of the high cost for turning on CRL/OCSP checking on every request, and even with OCSP stapling (which is not currently enforced because of potential for sites to go down because the staple is missing or outdated and the certificate authors OCSP servers are not returning new answers).

Here's a good article that explains some of the issues with revocation: https://arstechnica.com/information-technology/2017/07/https...

Last edit:

Shorter certificates are better for security overall, as there is less time for an attacker to potentially abuse a certificate.