Comment by nickf

3 days ago

Not quite that simple, no. It's a good reason, and while CRL and OCSP don't really work well - CRLite/OneCRL, CRLsets and valid all go some way to making revocation reasonably effective. Having an effective way to rotate all certificates, quickly, is a bigger reason. 1k -> 2k RSA took too long. SHA1 -> SHA2 took waaaaay too long. Changing anything about the webPKI takes too long unless everyone is on short lifetimes. The post-quantum bogeyman looms, too. Heartbleed and unforced CA errors become way less of a problem is everyone is forced to rotate monthly.

2 comments

nickf

tptacek 2 days ago

Fair enough (I knew someone was going to come in here and whack me on this). I'd only say that this makes the overall argument for short-lifetime certs even stronger. :)

nickf 2 days ago

…and I didn’t even have to play the SC-081 sponsor card either ;)