Exactly five years ago, I made this Git commit to discontinue multi-year certificates at @SSLMate. Today the CA/Browser Forum finished voting on a ballot to limit all publicly-trusted certificates to 1 year. (1/7)pic.twitter.com/oTyWwGqbJ3
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
1 year certs are good for regular Web users, because certificates issued with weak cryptography or weak validation practices are cycled out faster. Security improvements, like Certificate Transparency, can be rolled out more quickly. (3/7)
1 year certs are good for site operators because certificate renewal is a more regular event rather than something that they have to scramble to remember how to do at the last minute. (Full automation is even better, but not always feasible yet. 1 year is a happy medium.) (4/7)
1 year certs are more honest, because serious security incidents mean a long-lived cert might not remain valid for its entire term. Every 5 year cert issued through @SSLMate before Sep 2014 had to be replaced twice: for the SHA-1 deprecation, and for the Symantec distrust. (5/7)
1 year certs are better for @SSLMate, since they allow us to iterate more quickly without having to deal with legacy baggage. I deleted 20k lines of code in April. I couldn't have deleted all that code if the system still had to manage certificates issued in 2014. (6/7)
I can't wait to see certificates limited to 1 year everywhere, and I'm proud I was ahead of the curve on this. https://sslmate.com/blog/post/one_year_certs … (7/7)
Is there a precedent for browsers actively contradicting a CA/B Forum ballot result? I'm afraid that could jeopardize the whole forum.
Sort of - Mozilla has been gradually working on requiring that misissuances be reported to Bugzilla and included in audit reports, which is a weaker version of the failed Ballot 161, which also split on CA/browser lines.https://cabforum.org/2016/02/12/ballot-161/ …
The alternative may be to promote DNS based schemes, whilst DNS security is mixed, it at least removes CA as a failure point long term.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.