So with 166 likes out of 212 replies, and some pretty compelling evidence that restricting the cetificate lifetime to 90 days is not workable for a large segment of users, there any movement on allowing longer lifetimes? I’m fine with leaving the default at 90 days, but at least allow us to set a year, even if it’s just for the manual provisioning.
A quick summary of scenarioes where 90 days certs are going to be painful:
- HTTP Public Key Pinning (HPKP)
- DNS-Based Authentication of Named Entities (DANE)
- Daemons that need to be restarted to load new cert
- Embedded devices (firewalls, load balancers, IoT, etc)
- Systems where automation is not yet implemented (ie Windows/IIS, various daemons, etc)
- Systems where the the user doesn’t have access to the LE client (shared hosting, etc)
It’s my belief that if the primary mission of Let’s Encrypt is to get the entire Internet using TLS, then that mission is being compromised by this relatively arbitrary restriction. Sure, automate where you can (the lowest hanging fruit / most impact) but this blind insistence that everything must be automated seems foolhardy, and means you’re not capturing a very large proportion of users that would otherwise use the service (myself included).
Another common complaint is that there has been almost zero feedback from LE itself (other than creating the topic). This topic has been going on in one form or another for almost 8 months now, and we still have little if any feedback from LE, and no progress despite a clear case for allowing longer lifetimes. So where do we stand?