from Hacker News

A Note from Our Executive Director

by soheilpro on 12/12/24, 6:30 AM with 8 comments

  • by politelemon on 12/12/24, 7:09 AM

    Key bit:

    > but we are going to introduce a new offering that’s a big shift from anything we’ve done before - short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

  • by samgranieri on 12/12/24, 6:30 PM

    On a side note, I've had fun playing with something like this with Caddy and StepCA and bind running in a homelab. I've managed to, using the rfc2136 plugin, managed to rotate certs every ten minutes.

    Every six days is fine, just use something like Caddy that rotates the certs for you and it should just be set it and forget it.

    Yes, I realize this is a bit glib.

  • by rurban on 12/13/24, 6:14 AM

    Prossimo: That would be rustls, a project that bypassed openssl in every aspect by now. Really everybody should switch over.

    https://www.memorysafety.org/initiative/rustls/

  • by nodesocket on 12/12/24, 5:18 PM

    Interesting choice of 6 days. Any reason 6 was picked?