[tptacek]

Short certificate lifetimes address the fact that TLS certificate revocation doesn't work. Password rotation --- which is no longer a NIST recommendation! --- addresses the concern that long-term secrets eventually leak. You can intuitively see how different the problem domains are from the fact that certificate lifetimes are far shorter than even the old NIST password rotation rules were, despite the fact that certificates are all stored securely relative to passwords.

But whether that's intuitive for you or not, the fact remains: short-lifetime automated certificate provisioning is a response to revocation.

[ocdtrekkie]

I do see your position re: passwords tend to successfully be canceled and certificates tend to not. But I would certainly argue that the downsides of rotation on user behavior and technical security design are quite costly. They remove a lot of the opportunity for risk-based authentication (like TOFU) and require people set up fragile automations capable of generating keys that claim to be them. And every certificate warning that isn't due to a real security problem creates alert fatigue that makes certificate errors seen as spurious.

I think short certificate lifetimes will be viewed in the relatively short future as misguided as the old NIST recommendation on passwords.

[tptacek]

We have short lifetimes because TLS revocation doesn't work. It's that simple.

To understand the distinction, imagine a password system where you can't change your password. You can make new ones, but the old ones still work. That's the problem TLS was facing.

[nickf]

Not quite that simple, no. It's a good reason, and while CRL and OCSP don't really work well - CRLite/OneCRL, CRLsets and valid all go some way to making revocation reasonably effective. Having an effective way to rotate all certificates, quickly, is a bigger reason. 1k -> 2k RSA took too long. SHA1 -> SHA2 took waaaaay too long. Changing anything about the webPKI takes too long unless everyone is on short lifetimes. The post-quantum bogeyman looms, too. Heartbleed and unforced CA errors become way less of a problem is everyone is forced to rotate monthly.

[tptacek]

Fair enough (I knew someone was going to come in here and whack me on this). I'd only say that this makes the overall argument for short-lifetime certs even stronger. :)

[nickf]

…and I didn’t even have to play the SC-081 sponsor card either ;)

[ocdtrekkie]

Even granting that, it's still both an ineffective fix and it introduces significantly worse security risks than it tries to mitigate, on a system that at its core is fundamentally bad.

PKI is structurally broken at every level. The reason there are so many changes and additions and new features being slapped on it, is because it's a really dumb system and the people who control it are very motivated to keep it in place at the expense of everything else.

[tptacek]

No, it doesn't.