|
|
|
|
|
|
by nickf
331 days ago
|
|
|
Not quite that simple, no. It's a good reason, and while CRL and OCSP don't really work well - CRLite/OneCRL, CRLsets and valid all go some way to making revocation reasonably effective.
Having an effective way to rotate all certificates, quickly, is a bigger reason. 1k -> 2k RSA took too long. SHA1 -> SHA2 took waaaaay too long. Changing anything about the webPKI takes too long unless everyone is on short lifetimes. The post-quantum bogeyman looms, too. Heartbleed and unforced CA errors become way less of a problem is everyone is forced to rotate monthly. |
|
|