undefined | Better HN

0 pointskoolba5y ago0 comments

Shortening the validity duration does not stop any of those issues. It just shortens the duration of a potential attack to one year.

0 comments

hannob5y ago

The validity time is part of a process where browser vendors have tightened rules for CAs over time.

We got plenty of gradual improvements over time. Validity time does not stop incidents, but it makes the impact smaller and allows ecosystem improvements to propagate faster.

Take for example Certificate Transparency, which is one of the most important ecosystem improvements. It was required for new certificates in 2018. But we still can't rely on Certificate Transparency logging for all certificates, as the certificate lifetimes were so long.

In the future such improvements will take maximum 1 year till all certificates have them.

fastball5y ago

Eliminate, no. But the goal of security is generally not to make breaches impossible, but to mitigate them / make them harder to achieve.

It's an uphill battle but I'm glad browser vendors are fighting it.

j / k navigate · click thread line to collapse