|
|
|
|
|
|
by Bender
56 days ago
|
|
|
A case where I am fine with long lived keys is a public static blog that has no sensitive data and does not allow user contribution of any kind. A site so static and public I can check 100% of the files and web server configuration into a public git repo minus the private key. That's just my take and my personal preference of course. Honestly I would use a self signed certificate if there was a way to tell the browser it is a static blog and not to add friction to the user experience. It's not like LE is adding identity verification to the process any more than a self signed certificate would. It would be nifty if there was some naming standard that could tell the browser a blog is absolutely static and free of anything sensitive like staticblog.domain.tld so that it could dial down the you are about to be pwned! which I am sure some would abuse but that's fine, let them. |
|
|