What is the use case or benefit for the server admin?
as a server admin I wouldn't want to keep renewing my cert.
can anyone help to explain?
Lets Encrypt certs tend to be renewed by a cronjob, anyway. The advantage is that if someone gets your cert without your knowledge, they have, at most, six days to make use of it.
If they get it without your knowledge, what are the odds they can get the new one too?
If they got it with your knowledge, can't you just revoke the old one?
If they got it with your knowledge, can’t you just revoke the old one?
Yeah, but unfortunately cert revocation isn't that great in practice. Lots of devices and services don't even check the revocation lists on every connection.
I've been using the Swiss Cheese Model for my sandwiches and they've been a disaster.
You have to scramble the slices, otherwise the holes all line up and your mayonnaise falls out.
6 days to do what you want to do to the page and its visitors. I guess that's good?
I understand their reasoning behind this, but I am not sure, this is such a good idea. Imagine Letsencrypt having technical issues or getting DDoS'd. If the certificates are valid for 90 days and are typically renewed well in advance, no real problem arises, but with only 6 days in total, you really can't renew them all that much in advance, so this risk of lots of sites having expired certificates in such a situation appears quite large to me.
I volunteer to help with IT at a makerspace, and I hesitate to go for 6 day expiration times. As volunteers, we can't always fix problems in a timely way like paid IT staff could. We try to automate the hell out of everything, but certs have gone a day or two without getting updated before.
When I look at the default list of trusted CAs in my browser, I get the feeling that certificate lifetimes isn't the biggest issue with server certificates.
The sites I have most frequently have had to add expired certificates to use are US government websites. Particularly those affiliated with the military branches. It’s sad.
People who'd abuse trust into centralized PKI system are not real, they can't hurt you, because if they abuse it, said system's reputation will fall to zero, right?
Except it's being regularly abused. LOL. And everybody is using it.
This is a most excellent place for technology news and articles.
