Technology

The most-aggressively short timelines don't apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.

The current workflow many big orgs use is something like:

1. Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he "owns" and set 30-day reminders when they will expire,

2. manually generate CSRs,

3. reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,

4. schedule and get approval for one or more "possible brief outage" maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.

As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.

My concern is basically that this forces people to use very expensive cert providers, since it is infeasible to setup and connect and secure an HSM that can do this yourself. And Microsoft and Amazon have tricked the browser forums that their online ones are good enough.

It essentially puts yet another monopoly into the “open” Web. The CA browser forum is a joke at this point and I don’t respect any of the decision in the last 10 years. They all serve to further centralize and close off the web.

People keep bringing up LetsEncrypt, but it very much cannot issue EV carts. It costs THOUSANDS of dollars to use a service that can auto renew “trusted certs”.

Nice, having to renew the EV cert and upload it every month manually to all our hardware load balancer will be a great pleasure ! Thank you Apple ! /s

I have mixed feelings about this.

On one hand, I agree with the technical merits. Having an automated process to renew short lived tls certs is "a good thing" and I think services like Let's Encrypt have demonstrated such automation is viable (at large scale).

But, there are reasons why people pay money for tls Certs rather than use free (short lived) Certs. For example, there's a mom-and-pop webhosting company that allows you to upload your tls Certs (they cost < $25 / year) or you can pay them $95 / year to use their Certs (and they just use Let's Encrypt - lol)

The nearly 4x markup is their "convenience fee" or "dumb tax". Regardless, once the 45 day tls Certs are enforced, I'll have no choice in either paying their 4x markup or migrating to another platform.

... Having a choice is not always a bad thing...

I just hope that automation doesn't bring new vulnerabilities... Otherwise we get safer cert but poorly secured automated PKI to create the certs?

I mean if you have a fully automated cert deployment it could be months with a compromised system and you probably wouldn't see it.

I don't know how effective this will be. It still seems short even if it starts in 2029.

Get ready for a bunch more 1 and 2 day outages because someone forgot/missed the deadline to renew some crusty server somewhere. This is such massive overkill for most servers. End users should start getting used to that expired certificate warning in their browser of choice and the process to tell it to continue to the site anyway.

Why 47 Days? 47 days might seem like an arbitrary number, but it’s a simple cascade:

200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room 100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room

This seems sensible.