[nottorp]

>which includes basically every entity that ships a popular web browser and every entity that ships certificates trusted in those browsers.

So no one that actually has to renew these certificates.

Hey! How long does a root certificate from a certificate authority last?

10 to 25 years?

Why don't those last 120 minutes? They're responsible for the "security" of the whole internet aren't they?

[cpach]

It’s capped to 15 years.

In another comment someone linked to a document from the Chrome team.

Here’s a quote that I found interesting:

“In Chrome Root Program Policy 1.5, we landed changes that set a maximum ‘term-limit’ (i.e., period of inclusion) for root CA certificates included in the Chrome Root Store to 15 years.

While we still prefer a more agile approach, and may again explore this in the future, we encourage CA Owners to explore how they can adopt more frequent root rotation.”

https://googlechrome.github.io/chromerootprogram/moving-forw...

[nickf]

It’ll be 5 years soon.

[codys]

> So no one that actually has to renew these certificates.

I believe google, who maintain chrome and are on the CAB, are an entity well known for hosting various websites (iirc, it's their primary source of income), and those websites do use https

[akerl_]

It's almost like the threat models for CA and leaf certs are different.

[LunaSea]

Yes, foot certs are much more sensitive than leaf certs.

[akerl_]

Which is why root certs are stored in HSMs, there’s a well defined total set of them, and if the owner violates any of the rules around handling of them, the CAB can put them out of business.