|
|
|
|
|
|
by judge2020
2311 days ago
|
|
|
The original ballot was 3 yr -> 13 months with ballot 185 which did not pass. Text reason[0]: > The validity period of certificates represents the single greatest
impediment towards improving the security of the Web PKI. This is because
it sets the upper-bound on when legacy behaviours may be safely deprecated,
while setting a practical lower-bound for how long hacks and workarounds
need to be carried around by clients. Another reason I see is that your HTTPS certificates aren't invalidated when you don't renew a domain name, so an attacker could potentially MITM HTTPS if they previously owned the domain and had a valid long-lived certificate. The browsers all want automation and 90-day certificates, but that's the polar opposite of what CAs want. 0: https://cabforum.org/pipermail/public/2017-January/009373.ht... |
|
|