Let’s Encrypt is sticking with the 90 day expiration period on certs:
1. They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
2. They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenience than longer ones.
This doesn’t really sell me on the choice of a 90 day period. That is more than enough time for a compromised key to do loads of damage. On the automation front having solid APIs will do more to promote automation than a shorter certificate times.
Perhaps I’m too stuck in my ways, having used one year certs for a long time now. I’m still hopeful that Let’s Encrypt will be successful.
2 replies on “Sticking With 90 Days”
The 90-day limit is their initial compromise. You’re absolutely correct re automation, and as they make progress on that front they will be shortening certificate lifetimes even further.
There is an interesting experiment, how short can you make a cert valid for and still be useful? Can you imagine having to update a cert every 24 hours?