Six day and IP address certificate options in 2025

(letsencrypt.org)

197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source

Show context

likeabatterycar ◴[16 Jan 25 18:42 UTC] No.42729159[source]▶

> Our six-day certificates will not include OCSP or CRL URLs.

If someone else did this, Mozilla would be threatening to remove them from their trusted roots.

IP address certs sound like a security nightmare that could be subverted by BGP hijacking. Which is why most CAs don't issue them. Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

replies(3): >>42729196 #>>42729493 #>>42730032 #

dextercd ◴[16 Jan 25 18:45 UTC] No.42729196[source]▶

>>42729159 #

Not true. CA's are explicitly allowed to omit CRL support for certificates with a lifetime <= 10 days.

replies(1): >>42729297 #

1. throw0101c ◴[16 Jan 25 18:52 UTC] No.42729297[source]▶

>>42729196 #

> §1.6.1 Definitions

> Short-lived Subscriber Certificate: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).

[…]

> §7.1.2.11.2 CRL Distribution Points

> The CRL Distribution Points extension MUST be present in: Subordinate CA Certificates; and Subscriber Certificates that 1) do not qualify as “Short-lived Subscriber Certificates” and 2) do not include an Authority Information Access extension with an id-ad-ocspaccessMethod.

* https://cabforum.org/working-groups/server/baseline-requirem...

OCSP does not seem to be mandated in the latest Base Requirements.

↑