LetsEncrypt – Expiration Notification Service Has Ended

Is it the right time to rant about the cert expiration as a concept? I understand why certs might be revoked. But expire?

Can't remove a certificate from the revocation lists until it's expired, leading to boundless growth of those lists.

Risk of private keys/certificates from old backup media being leaked (remembering the adobe password leak...) and then suddenly coming back online and working until someone figures out how to revoke them

At a minimum I consider it like an automatic "garbage collection" mechanism that prevents dead and abandoned things to remain "valid forever".

It also helps with things such as change of ownership so after a certain period of time you can have the peace of mind that certs potentially issued by the previous owners are not lingering around as active (I understand things such as revoking and pinning can help with this too but It's nice to have a plain time based expiry too).

revoking certs does not work. it is so bad that the end result is that by 2029 certificates will not be allowed to be valid longer than 47 days: https://news.ycombinator.com/item?id=43693900

Revoking certificates and expiring certificates tackle two different security issues.

You revoke a certificate when you believe that it might have been compromised. Expiring certificates helps protect you when you've unknowingly been compromised.

So let's say that one of your employees accidentally pushed a private key for one of your certificates up to GitHub and you notice it. That's when you should immediately rotate that certificate and revoking the old one.

Now let's say that the same thing happened but you didn't notice. That's where the certificate expiring comes into play. For a Lets Encrypt certificate there's currently going to be a maximum of 90 days where someone could find that private key and work out a way to exploit it, after that period the certificate would have expired and no longer be being used.

One reason is Agility. Natural turnover due to expiration puts a reasonable maximum on the time needed to make any improvement that's not a flag day (a flag day is a situation where everybody in the ecosystem, so for today's Web that's billions of people, co-ordinates).

Improvements can be changes to cryptographic algorithms, like "Don't use SHA-1" or to the nuances of the certificate document like "Don't use this X509 feature" or to the CA infrastructure like "Don't issue certificates for names which don't exist".

Shortened certificate lifetimes improve agility by bringing forward that horizon. We can say "Stop doing X by August" tomorrow, and by Christmas 2026 there are no trusted end entity certificates which relied on X. A few years ago that took 3-5 years, at the turn of the century it was more than a decade and we repeatedly paid a price for that.

Let's say you buy a domain name from someone. Do you really want the previous owner of the domain to own a certificate for your website until the end of time? Sure you can get it revoked but certificate expiration ensures that it will expire even if it doesn't get revoked. That's a vital part of the security model.

TLS server certificates, that is. It’s perfectly fine for other uses of certificates.

While 90d might be short, 10 years is too long (encryption changes!)

true, but i would guess that revoking certificates doesn't work in general, so this would apply to any situation where revoking is necessary.

That guess is incorrect. Revocations are routine in PKI-based electronic signatures and authentication, and do work there.

If expiring certificates offer some sort of security shouldn’t they be expiring after milliseconds?

If I had compromised the Bank of America servers a couple of minutes would suffice to collect a ton of password combinations.

They are slowly reducing the period that certificates are valid for, not to the degree of milliseconds, but certainly to the point that renewing them will need to be automated.