TLS certs: lifespan will be reduced to 47 days

[madires]

The news:
- SSL/TLS certificate lifespans reduced to 47 days by 2029, https://www.bleepingcomputer.com/neto-47-days-by-2029/
- TLS Certificate Lifetimes Will Officially Reduce to 47 Days, https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Will happen in steps:
- from March 15, 2026: lifespan and DCV 200 days
- from March 15, 2027: lifespan and DCV 100 days
- from March 15, 2029: lifespan 47 days and DCV 10 days

DCV: Domain Control Verification

I'm quite sceptical that the shorter lifespan will improve anything noteworthy. The CA system has many issues and those can't be fixed by technology. Also I doubt they have thought much about the impact of the lifespan reduction on people/orgs running websites or services with TLS support. Not everything can or will be automated. It appepars to me that big tech admits that one CA aspect (CRLs) is totally broken and they try to mitigate that by passing the hot potato to their customers, following the enshitification scheme.

[nctnico]

Without date/time being guarded at all (date/time distribution happens through the least secure protocols!), having a date/time limit on certificates is a big joke. Security shouldn't rely on date/time at all because a denial of service attack is super easy to execute.

[Bud]

If that is so easy, why it has not happened.

[bitwelder]

I wonder how that will go with the Extended Verification certificate business, whether customers will be billed by each new minted cert or how else?

[Peabody]

Let's say I have an ESP32 embedded product that takes various sensor readings, and which phones home to a website every now and then.  Does the shorter lifespan of certificates mean I will have to flash new firmware every 47 days?  I believe Cloudflare has announced that they will stop handling any traffic that uses port 80, so I think that means https will be required.  If the website gets a new certificate, it seems my device will no longer communicate with it.  Is that right?

[PlainName]

I believe Cloudflare has announced that they will stop handling any traffic that uses port 80

Could you not have your webserver listing on, say, 8080?

[Bud]

Also I doubt they have thought much about the impact of the lifespan reduction on people/orgs running websites or services with TLS support. Not everything can or will be automated. It

Browsers ( as in Companies) do not give shit about internal enterprize infrastructure operations. They only focus on public internet.

[nctnico]

If that is so easy, why it has not happened.

It has happened in the NL. Multiple airports had to shutdown and many government agencies where affected. People could not get into buildings because the security system had the wrong time and thus their (time based) access passes where invalid. It took a while to fix as the network engineers who could fix the situation where locked out as well.

[madires]

Browsers ( as in Companies) do not give shit about internal enterprize infrastructure operations. They only focus on public internet.

Internal stuff can be easily handled by an internal CA, especially for private IP address space.

[Bud]

It cannot be on the edge (web facing perimeter), where it is still internal operation.

[golden_labels]

Burdensome security is the greatest threat to security.

I’m worried this is going to slow down adoption of TLS and in some areas it may even reverse it. 90-day limit from Let’s Encrypt is already tough. 47 days is unbearable without automatizing the process. The change seems like yet another move, where narrow-minded decisionmakers fail to understand the world doesn’t end on a few corporate services.

There are benefits to shortening lifespan, but that is to be weighted by the administrator. Not forced upon them.

[bitwelder]

I guess the main problem is that there is no simple way to manage certificate revokation (CRLs and OCSP hae their own limitations) the only way they found is to rely on a short lifetime so that even if there is a 'rogue' certificate on the wild that should be detected as invalid, it won't live for too long.
Every other consideration seems to be sacrificed on this altar of certificate holyness.

[SiliconWizard]

That doesn't look like a good idea.
But this will create jobs. 

[peter-h]

This just creates more work for sysadmins, fixing cert renewal cron jobs which failed for [insert one of many reasons]