←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 7 comments | 16 Jan 25 15:36 UTC | HN request time: 0.428s | source | bottom
1. Eikon ◴[16 Jan 25 19:40 UTC] No.42729893[source]
This will get interesting for many CT transparency monitors which for many are already seeing scalability issues.

I am operating https://www.merklemap.com/ and the current scale is already impressive.

replies(4): >>42730632 #>>42731359 #>>42731797 #>>42732171 #
2. sebmellen ◴[16 Jan 25 20:43 UTC] No.42730632[source]
What a cool site. For a long time I've been looking for something exactly like this for discovery purposes.
replies(1): >>42730708 #
3. Eikon ◴[16 Jan 25 20:48 UTC] No.42730708[source]
Thank you!
4. mholt ◴[16 Jan 25 21:48 UTC] No.42731359[source]
I don't know much about CT requirements, but can't they prune data out of their logs after some time? Since the certs only last 6 days, the growth of the logs can be capped at some point right? If not now, provisions for such operations could surely be implemented, I imagine.

PS. Neat site!

replies(1): >>42731377 #
5. Eikon ◴[16 Jan 25 21:50 UTC] No.42731377[source]
> I don't know much about CT requirements, but can't they prune data out of their logs after some time? Since the certs only last 6 days, the growth of the logs can be capped at some point right?

That's what happens - logs are "expired" after a few years. But if you want to have an exhaustive monitor, you probably don't want to discard the records of expired certificates.

> PS. Neat site!

Thank you!

6. o11c ◴[16 Jan 25 22:38 UTC] No.42731797[source]
Hmm, I wonder if it's possible to do dedicated intermediate certificates that promise to only sign short-lived certificates for a single site? That way the CT-log could be taught to only keep the intermediate?
7. ◴[16 Jan 25 23:16 UTC] No.42732171[source]