But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.
Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.
For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.
Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging. Automation breaks so even automated shorter-lifetime certificates will still accelerate and increase this damage.
And finally, nobody who's ever tried justifying the CAB's behavior has actually been able to demonstrate the CAB is solving real world problems. I want someone from the CAB to show me a real world exploit that happened that was because someone got a hold of a certificate between 7 and 90 days old and was able to use that maliciously.
If someone from the CAB can't do that, the entire CAB should be disbanded.
Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
I believe that this is out of place and perhaps a result of reading things with an uncharitable interpretation.
The skill floor part of the comment isn't me attempting to blame someone, but rather point out that needing this sort of automation complicates things and adds friction. If the only certificates that you get for free (e.g. Let's Encrypt) are short lived, then you can't just sit down once a year and move some files around, you need certbot / mod_md / Caddy and all that comes with it. Of course, you still have the longer lived commercial certs, but it's odd to see how the trend is shifting towards ACME. Not the end of the world for most, but also something that a mom & pop shop might prefer not to deal with. Or, you know, environments with specific requirements.
> So you need to understand that making certs expire more is inherently damaging.
For this, I make no claims one way or the other. To me, concerns about long lived certificates seem valid, as do those about short lived ones, both have risks associated with them. Which is the better approach? You decide for yourself. Except most people don't get to decide and just have to roll along with whatever the industry at large settles on.
In any good risk management scenario you have to weigh the cost/benefit of a change in terms of what benefits it offers and what tradeoffs it has. The CAB has repeatedly demonstrated complete inability to consider the risk profile of their behavior. They are unqualified for the job, and unfortunately, accountable to noone.
Uh, no. Most of the outage due to certificate expiry is not caused by subtly broken automation. It's caused by non-existent automation or outright broken (never gonna work) automation.
So, if you make certificates expire in 6 days, you are not going to have these outages. They will be caught during develop.
People just pretend it's okay and forget about 1 year certs. With 6 days cert it would be impossible to pretend it's okay to shift a few files manually. Or maybe some organizations will setup a human-run rotation which actually does shifting a few files every 3 days, that's totally okay. You don't need automation. You just need a way to consistently make sure your certificate won't expire in prod (and in emergency, able to quickly replace a cert).
Certificates with 1 year expiry is nothing but a dangerous footgun. It's worse than 30 years expiry, at least with 30 years expiry you don't get outages.