[rezonant]

Better to be man-in-the-middled for:

- One year instead of two? Yep

- 3 months instead of 1 year? Yep.

- 1 week instead of 3 months? Yep.

The reason certificates have traditionally been so long is because it was a manual process. Using ACME it is possible to expire certificates every hour if you wanted to do that.

[phicoh]

In the past, revocation was supposed to help cases where the owner of the certificate exposed the private key in one way or another.

Now it seems that revocation is supposed to help the CA covering up mistakes made by the CA.

Maybe we actually need a better CA.

[pgporada]

The Baseline Requirements require revocation of misissued certificates, this isn't "a CA covering up mistakes."

[rad_gruchalski]

> Maybe we actually need a better CA.

Go for it. Start one and tell us how it went.

[phicoh]

If ever I have too much free time, I'll spend it modifying firefox to support DANE.

[rad_gruchalski]

I simply think your previous argument is disingenuous. We have a free to use CA who's code can be vetted, such mistakes can be caught, potential problems can be averted. If this is the price to pay, okay, so be it. Imagine what must fly under the radar of other CAs who do not have thousands of eyes vetting their code base - as in, those would never be visible.

So okay, maybe you don't have certs revoked and you don't need to restart your Traefik but are you really sure everything is okay?