“Support for Short-Term, Automatically-Renewed (STAR) Certificates in ACME”.https://twitter.com/Cryptoki/status/1165299507304816642 …
Key rotation is important, so STAR orders expire, after which the client can renew with a new key. So keys need not be any longer-lived under STAR than they are with today's long-lived certs.
-
-
It may not be necessary for Google, but if this makes short-lived certs palatable to other operators, it's an improvement over the status quo, even if keys are not rotated ~daily.
-
I’m not speaking as Google just Ryan; I get that it lets you renew against same key for a fixed period. That’s the most impactful element of the proposal since cached validations reduce need to recalibrate on renewal. I just ask why?
- 9 more replies
New conversation -
-
-
Not exactly, nothing in ACME prevents long lives certs. Nor does it prevent key reuse I guess, but the pattern in use doesn’t design around key reuse.
-
This enshrouds key reuse into the workflow and likely will end up with long lived transactions with the same key vs many short lived transactions with new keys.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.