undefined | Better HN

0 pointsyardstick4mo ago0 comments

> HTTPS doesn't have mandatory key rotation every 90 days. LetsEncrypt does for reasons that they document, but you can go elsewhere if you'd prefer.

A lot of this discussion is about how the browsers define their security requirements on top of HTTPS/TLS/etc.

Such as what CAs they trust by default, and what’s the maximum lifetime of a certificate before they won’t trust it. I believe it is now 2 years? Going even lower soon.

0 comments

saurik4mo ago

They don't require key rotation, though, merely certificate busy work; if they wanted key rotation they could try to add some mechanism for it, but I've been using the same key for over a decade now.

j / k navigate · click thread line to collapse

0 pointsyardstick4mo ago0 comments

> HTTPS doesn't have mandatory key rotation every 90 days. LetsEncrypt does for reasons that they document, but you can go elsewhere if you'd prefer.

A lot of this discussion is about how the browsers define their security requirements on top of HTTPS/TLS/etc.

Such as what CAs they trust by default, and what’s the maximum lifetime of a certificate before they won’t trust it. I believe it is now 2 years? Going even lower soon.

0 comments

saurik4mo ago

They don't require key rotation, though, merely certificate busy work; if they wanted key rotation they could try to add some mechanism for it, but I've been using the same key for over a decade now.

j / k navigate · click thread line to collapse