Replying to Avatar atyh

you already know i think domains, and certificate authorities are shitcoins.

but with a cronjob doing auto renewal, im curious what bugs you about the length of time..
Avatar
Enki 1y ago

I mean, yeah, in a general sense, I share the same opinion about DNS. But is the current system we have.

So DNS issues aside, at least the way that I see it, is even though certificate authorities are already kind of a central point of failure, having a six-day certificate increases that single point of failure risk. If Let's Encrypt has an issue on the scale of something that the Internet Archive had where they're down for days or a week, hundreds of millions of sites will lose their certificates. Having a 90 day cert, even a 30 or 60 day cert gives them some wiggle room in case something catastrophic happens.

Reply to this note

Please Login to reply.

Discussion

Avatar
atyh 1y ago

maybe i just dont know how they work. but it was my impression that a verification request is sent to the certificate authority every time a connection is attempted. in that case, the length of the certification validity would be somewhat irrelevant as the validation request would fail because Lets Encrypt was down.

Avatar
Enki 1y ago

You mean like, anytime someone connects to your website, a request is sent to Let's Encrypt? No your public and private key are stored on your server when you get them.

You only reach out to them when you need to refresh your cert.

Avatar
atyh 1y ago

didnt know that. your

concern makes more

sense.