“Support for Short-Term, Automatically-Renewed (STAR) Certificates in ACME”.https://twitter.com/Cryptoki/status/1165299507304816642 …
An argument that operators use against short-lived certs is that empirically automated cert issuance has more downtime than OCSP. STAR allows issuance to work like OCSP - new certs distributed via a highly-available CDN and retrieved with unauthenticated GET.
-
-
Key rotation is important, so STAR orders expire, after which the client can renew with a new key. So keys need not be any longer-lived under STAR than they are with today's long-lived certs.
-
It may not be necessary for Google, but if this makes short-lived certs palatable to other operators, it's an improvement over the status quo, even if keys are not rotated ~daily.
- 10 more replies
New conversation -
-
-
Empirically: by observation not pure logic. Pure logic and measurement on the other hand shows that automated things fail less than manual things.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I understand what it does, I just am not sure it is needed.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.