←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.309s | source
Show context
whatever1 ◴[30 Jun 25 08:51 UTC] No.44420959[source]
Is it the right time to rant about the cert expiration as a concept? I understand why certs might be revoked. But expire?
replies(7): >>44421005 #>>44421014 #>>44421298 #>>44421364 #>>44421391 #>>44421714 #>>44421852 #
1. tialaramex ◴[30 Jun 25 09:59 UTC] No.44421391[source]
One reason is Agility. Natural turnover due to expiration puts a reasonable maximum on the time needed to make any improvement that's not a flag day (a flag day is a situation where everybody in the ecosystem, so for today's Web that's billions of people, co-ordinates).

Improvements can be changes to cryptographic algorithms, like "Don't use SHA-1" or to the nuances of the certificate document like "Don't use this X509 feature" or to the CA infrastructure like "Don't issue certificates for names which don't exist".

Shortened certificate lifetimes improve agility by bringing forward that horizon. We can say "Stop doing X by August" tomorrow, and by Christmas 2026 there are no trusted end entity certificates which relied on X. A few years ago that took 3-5 years, at the turn of the century it was more than a decade and we repeatedly paid a price for that.