Hacker News new | ask | show | jobs
by saurik 278 days ago
How is this actually better (or conceptually even different) than just having the issuer's servers issue new certificates that only last 24 hours?
1 comments
Ayesh 278 days ago
It's not better.

Short lived certificates are definitely the better way forward.

24 hour certificates will add a significantly more load on CAs, a lot more than maintaining an OCSP responder.

link
saurik 271 days ago
But, signing the updated expiration date seems like exactly the same amount of signing as just signing the entire certificate?
link