On 06/16/2016 10:53 AM, Walter H. wrote:> lets encrypt only trusts for 3 months; would you really except in an > onlineshop, someone trusts this shop? > let us think something like this: "when the CA only trusts for 3 > months, how should I trust for a longer period > which is important for warranty ..."I doubt that most users check the dates on SSL certificates, unless they are familiar enough with TLS to understand that a shorter validity period is better for security.
On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote:> On 06/16/2016 10:53 AM, Walter H. wrote: >> lets encrypt only trusts for 3 months; would you really except in an >> onlineshop, someone trusts this shop? >> let us think something like this: "when the CA only trusts for 3 >> months, how should I trust for a longer period >> which is important for warranty ..." > > I doubt that most users check the dates on SSL certificates, unless they > are familiar enough with TLS to understand that a shorter validity > period is better for security.Oh, this is what he meant: Cert validity period. Though I agree with you in general (shorter period public key is exposed smaller chance secret key brute-force discovered), logistically as the one who has to handle quite a few certificates, I only will go with certificates valid for a year, or better 2 years. Given a bandwidths and ciphers these certificates still can provide necessary security (I exclude here such things like server system compromises which have nothing to do with the time the server exists or certificate lives on the server - do I miss something?). Just my $0.02 Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:> > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> On 06/16/2016 10:53 AM, Walter H. wrote: >>> lets encrypt only trusts for 3 months; would you really except in an >>> onlineshop, someone trusts this shop? >>> let us think something like this: "when the CA only trusts for 3 >>> months, how should I trust for a longer period >>> which is important for warranty ..." >> >> I doubt that most users check the dates on SSL certificates, unless they >> are familiar enough with TLS to understand that a shorter validity >> period is better for security. > > Oh, this is what he meant: Cert validity period. Though I agree with you > in general (shorter period public key is exposed smaller chance secret key > brute-force discovered), logistically as the one who has to handle quite a > few certificates, I only will go with certificates valid for a year, or > better 2 years. Given a bandwidths and ciphers these certificates still > can provide necessary security (I exclude here such things like server > system compromises which have nothing to do with the time the server > exists or certificate lives on the server - do I miss something?).There is also what use is being made of it. For internal dev websites, for example, not available to the outside world, I create self-signed for one length of time... ten years. By that time, the project, if it's still around, will have gone other ways. mark
On 16.06.2016 20:09, Gordon Messmer wrote:> On 06/16/2016 10:53 AM, Walter H. wrote: >> lets encrypt only trusts for 3 months; would you really except in an >> onlineshop, someone trusts this shop? >> let us think something like this: "when the CA only trusts for 3 >> months, how should I trust for a longer period >> which is important for warranty ..." > > I doubt that most users check the dates on SSL certificates, unless > they are familiar enough with TLS to understand that a shorter > validity period is better for security.technically there is more: not the user needs to check the dates a SSL certificate is valid; just compare it with real life: which salesman would you trust more - the one that gets a new car every few years, which has the same advertisings on it and maybe has the same color, or the other one that gets nearly every month a new car, which looks totally different, other color and other advertisings on it? (and its not a car dealer) the same its with SSL certificates; so you have to find the golden middle way, as long as enough without loosing the security and not too short to prevent not to get trust; Walter
On 06/16/2016 11:23 AM, Valeri Galtsev wrote:> as the one who has to handle quite a > few certificates, I only will go with certificates valid for a year, > ...do I miss something?).Yes. The tool that creates certificate/key pairs, submits the CSR, and installs the certificate is intended to be fully automated. In production, you should be running it as an automatic job. As someone who handles a lot of certificates, I can't imagine why I'd want any other CA to handle my certs (excluding the EV certs).
On 06/16/2016 11:50 AM, Walter H. wrote:> technically there is more: not the user needs to check the dates a SSL > certificate is valid; > > just compare it with real life: which salesman would you trust more - > the one that gets a new car every few years, which has the same > advertisings on it and maybe has the same color, or the other one that > gets nearly every month a new car, which looks totally different, > other color and other advertisings on it? (and its not a car dealer)Your metaphor is extremely strained, and completely unnecessary. It doesn't relate to the reality of certificates in any way. Without using a metaphor, please explain exactly who you think will not trust these certs, because I have never met these people.