[trollied]

Is there a better way for dealing with certs? Would a very very long expiry date be better, and a bigger emphasis put on being able to invalidate them? The number of times "it's always the certificate" pops its head up after an outage is on the increase (when it's not DNS or BGP!) :-)

[crote]

We seem to be moving into the opposite direction, actually.

People fail to renew them because it is a very infrequent thing. At one point you could get certificates that were valid for five years. This was reduced to three, and is now even down to one year. If it is that infrequent, renewing the certificate becomes an ad-hoc thing, which is most likely poorly documented and easily forgotten about.

On the other hand, LetsEncrypt certificates are valid for 90 days, and I believe they want to make that even shorter. At that point the only viable way to deal with certificates is to set up tooling that will automatically renew it, solving the entire expiry issue in the process.

[magicalhippo]

I think the opposite. A short expiry time ala LetsEncrypt, but with a process to "adopt" the new certificate. That is, the website can say, "I'm using this cert now, soon I'll be using that one".

Then the browser can be more strict with warning of unscheduled cert changes, and an expired-but-adopted cert is not a big issue and browsers don't have to be so alarmist about it.

[toast0]

Invalidation more or less doesn't work. Mandatory OCSP stapling could change that, maybe, but it also means your clients need to have much tighter time synchronization[1], and your servers need to be able to make the OCSP requests, and the OCSP servers need to have relatively high availability. An extended DDoS against an OSCP server in a mandatory stapling environment would effectively invalidate large numbers of certificates and be a real big mess.

[1] and no localtime bugs; I've worked with platforms that don't accept certificates where NotBefore interpreted in local time hasn't been reached. Which means you've got to let your certificates sit for hours before using them if you have customers in Hawaii or other pacific islands on this side of the date line.

At least certificate errors are big and in your face, unlike bgp and sometimes dns.