“Support for Short-Term, Automatically-Renewed (STAR) Certificates in ACME”.https://twitter.com/Cryptoki/status/1165299507304816642 …
It may not be necessary for Google, but if this makes short-lived certs palatable to other operators, it's an improvement over the status quo, even if keys are not rotated ~daily.
-
-
I’m not speaking as Google just Ryan; I get that it lets you renew against same key for a fixed period. That’s the most impactful element of the proposal since cached validations reduce need to recalibrate on renewal. I just ask why?
-
Arguments like https://github.com/WICG/webpackage/issues/378#issuecomment-457011076 …: "7-day lifetime would limit uptime. In practice they see longer downtime periods for certificate issuance than OCSP."
- 8 more replies
New conversation -
-
-
If it does make short lived certs more paletabke I would agree I just don’t see how it foes. The fear of short lived certs in my experience is around frequent operational change, not the life of the cert.
-
I guess the key reuse does let you change the cert under the cover without unloading the private key from memory but you still need the server to be smart enough to reload the cert on change and if it does one shouldn’t it do both?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.