undefined | Better HN

0 pointsdmitrygr3d ago0 comments

Which is yet another chore. And it doesn’t add any security. A certificate expired yesterday proves I am who I am just as much as it did yesterday. As long as the validity length is shorter than how long it would take somebody to work out the private key from the public key, it is fine.

0 comments

bombcar3d ago

Shortening certificate periods is just their way of admitting that certification revocation lists are absolutely worthless.

nightpool3d ago

No, they're not useless at all. The point of shortening certificate periods is that companies complain when they have to put customers on revocation lists, because their customers need ~2 years to update a certificate. If CRLs were useless, nobody would complain about being put on them. If you follow the revocation tickets in ca-compliance bugzilla, this is the norm—not the exception. Nobody wants to revoke certificates because it will break all of their customers. Shortening the validity period means that CAs and users are more prepared for revocation events.

pas3d ago

... what are the revocation tickets about then? how is it even a question whether to put a cert on the CRL? either the customer wants to or the key has been compromised? (in which case the customer should also want to have it revoked ASAP, no?)

can you elaborate on this a bit? thank you!

3 more replies

nathanaldensr3d ago

Right. It's the same debate about how long authorization cookies or tokens should last. At one point in time--only one--authentication was performed in a provable enough manner that the certificate was issued. After that--it could be seconds, hours, days, years, or never--that assumption could become invalid.

danesparza3d ago

An expired cert is a smell. It shows somebody isn't paying attention.

And a short expiration time absolutely increases security by reducing attack surface.

ajsnigrutin3d ago

Or that someone asked to renewed it, one of their four bosses didn't sign off the apropriate form, the only person to take that form to whoever does the certs is on a vacation, person issuing certs needs all four of his bosses to sign it off, and one of those bosses has been DOGE-ed and not yet replaced.

expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.

hananova3d ago

The whole point of these shorter certificate durations is to force companies to put in automation that doesn't require 14 layers of paperwork. Some companies will be stubborn, and will thus be locked in an eternal cycle of renew->get paperwork started for renew. Most will adapt.

1 more reply

danesparza3d ago

Humbly, I disagree with you. What better use of our tax dollars than to automate away as many problems as we can?

dmitrygrOP3d ago

It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them.

organsnyder3d ago

Compared to the manual processes these scripts replaced, I'd put more trust in the automations.

1 more reply

allthetime3d ago

"yet another chore"

use cloudflare, never think about it.

use certbot, never think about it.

dmitrygrOP3d ago

I am curious how long the approval process in some large corp or the military would be for either of those options...

Hand over our private keys to a third party or run this binary written by some volunteers in some basements who will not sign a support contract with us...

icedchai3d ago

I've worked with large "enterprises" that refuse to use the easy-to-automate certificate services, including AWS Certificate Manager. They would rather continue to procure certificates through a third party, email around keys, etc. They somehow believe these archaic practices are more secure.

hananova3d ago

Well they can either automate it, or soon spend literally every waking moment in a cycle of paperwork to chase the next renewal.

The whole point was to force automation, and if corps want to be stubborn that's no skin of my back, the shorter durations are coming regardless.

allthetime3d ago

In this case some manual work may need to be done.

dpoloncsak3d ago

Isn't that why certificates expire, and the expiry window is getting shorter and shorter? To keep up with the length of time it takes someone to crack a private key?

JoshTriplett3d ago

No, it has nothing to do with the time to crack encryption. It's to protect against two things: organizations that still have manual processes in place (making them increasingly infeasible in order to require automatic renewal) and excessively large revocation lists (because you don't need to serve data on the revocation of a now-expired certificate).

dmitrygrOP3d ago

No. The sister comment gave the correct answer. It is because nobody checks revocation lists. I promise you there’s nobody out there who can factor a private key out of your certificate in 10, 40, 1000, or even 10,000 days.

dpoloncsak3d ago

I thought I remembered someone breaking one recently, but (unless I've found a different recent arxiv page) seems like it was done using keys that share a common prime factor. Oops!

Fwiw: https://arxiv.org/abs/2512.22720

shagie3d ago

It's also a "how much exposure do people have if the private key is compromised?"

Yes, its to make it so that a dedicated effort to break the key has it rotated before someone can impersonate it... its also a question of how big is the historical data window that an attacker has i̶f̶ when someone cracks the key?

j / k navigate · click thread line to collapse

0 comments

bombcar3d ago

Shortening certificate periods is just their way of admitting that certification revocation lists are absolutely worthless.

nightpool3d ago

pas3d ago

can you elaborate on this a bit? thank you!

3 more replies

nathanaldensr3d ago

danesparza3d ago

An expired cert is a smell. It shows somebody isn't paying attention.

And a short expiration time absolutely increases security by reducing attack surface.

ajsnigrutin3d ago

expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.

hananova3d ago

1 more reply

danesparza3d ago

Humbly, I disagree with you. What better use of our tax dollars than to automate away as many problems as we can?

dmitrygrOP3d ago

It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them.

organsnyder3d ago

Compared to the manual processes these scripts replaced, I'd put more trust in the automations.

1 more reply

allthetime3d ago

"yet another chore"

use cloudflare, never think about it.

use certbot, never think about it.

dmitrygrOP3d ago

I am curious how long the approval process in some large corp or the military would be for either of those options...

Hand over our private keys to a third party or run this binary written by some volunteers in some basements who will not sign a support contract with us...

icedchai3d ago

hananova3d ago

Well they can either automate it, or soon spend literally every waking moment in a cycle of paperwork to chase the next renewal.

The whole point was to force automation, and if corps want to be stubborn that's no skin of my back, the shorter durations are coming regardless.

allthetime3d ago

In this case some manual work may need to be done.

dpoloncsak3d ago

Isn't that why certificates expire, and the expiry window is getting shorter and shorter? To keep up with the length of time it takes someone to crack a private key?

JoshTriplett3d ago

dmitrygrOP3d ago

dpoloncsak3d ago

I thought I remembered someone breaking one recently, but (unless I've found a different recent arxiv page) seems like it was done using keys that share a common prime factor. Oops!

Fwiw: https://arxiv.org/abs/2512.22720

shagie3d ago

It's also a "how much exposure do people have if the private key is compromised?"

j / k navigate · click thread line to collapse