Pros and cons of 90-day certificate lifetimes

Osiris · January 10, 2016, 10:38pm

Have you seen the threads in this community? I beg to differ the audience is “system administrators”…

NOYB · January 10, 2016, 11:15pm

The quote is directly from the Let’s Encrypt “Why ninety-day lifetimes for certificates” blog of Nov 9, 2015. So you can beg to differ all you want. But it is your opinion vs. Let’s Encrypt’s public statement.

Osiris · January 10, 2016, 11:35pm

It’s more an observatie than an opinion TBH. And you should read the “system administrator” part of the blog in its context, ofcourse. You could just as easy read it as “the guy or gal who manages the server in question”, which could also be some house mom or a 16 years old geek with a server in his bed room. The two words “system administrator” in that blog are, as I’m reading and interpreting it, not specifically meant for something like “ICT professionals who run a company global site system administrator” or the likes. But just “someone who owns and operates a HTTPS site”.

NOYB · January 11, 2016, 12:05am

I did read it in it’s full context. Which is as a justification of 90 day cert lifetime. Precisely the topic of discussion here. Whether the system administrator is a mother or 16 year old geek is irrelevant. Some moms are very good, capable and experienced system administrators. I know this first hand from working with some of them. But they are not everyone’s or anyone’s mom.

prusswan · January 11, 2016, 6:32am

In this case, the “vendor” did not receive any payment and is not asking for any. Feel free to use a vendor that accepts payment?

prusswan · January 11, 2016, 6:39am

It has more to do with exposure to the internet and public attack vectors (usually web servers). With minimal exposure, a self-signed cert (expired or not) would do just fine, no CA needs to be involved. If the deployment procedure barely lends itself to automation, it is probably not a good use-case for LE to tackle, lifetimes or not.

NOYB · January 11, 2016, 7:44am

Irrelevant. Providing free (to the user) services does not exempt one from criticism, requests to change policies, and even public pressure.
However in this case, yes they did/do receive payment.

alphabootis · January 11, 2016, 10:00am

I personally have no real issue with the short life span of a LE certificate though I wouln’t mind it lengthened either, just as long as renewal automation remains a possibility and keeps working well. Once it will start to involve man hours it will become a problematic think.
Having to restart services to implement a new certificate is a problem with said service IMHO, apart from that though even if I did have to restart, I restart the whole server a whole lot more then that when doing general maintenance such as updates.

If you run something mission critical to the point where a couple of seconds outage is a thing then I assume paying for a longer lasting certificate is not a problem.

fweno84 · January 12, 2016, 7:22pm

The way I see it, LE should check by the ACME protocol what is the nature of the service it is issuing a certificate for. I don’t know how hard would be do that. But like, people are nothing paying attention that there are other services that rely on SSL and aren’t HTTPd servers. Like, would be awesome to have this for OpenVPN - you can’t break connections here. But think about a SMTP server, you don’t want to restart it. I don’t want to go list everything, the point is that some services do would benefit from this but can’t be restarted so often or never. Like I know that there is redundancy but even that being true… you know better is better, if we can use that so lets have it and get everything SSLed!

motoko · January 12, 2016, 7:30pm

There should always be a scheduled maintenance period for a service. Even with a traditional certificate you would normally replace it once a year (or every three years maximum if you pay for the longest period).

Sure you can. Have a scheduled maintenance period. You have to have one for underlying OS patches, security fixes, and system updates, right? Especially for something so security-critical. Roll the certificate renewal into that period too.

Also, if you have a site-to-site VPN set up, you're probably going to be using self-signed or private CA certificates anyway.

Sure you do. It's not a long process to recycle the application. If it's in high demand, you will either have a pool of servers where you can cycle the process on one at a time, or you have that maintenance window.

Maintenance window, maintenance window, maintenance window. If you can't ever restart the service, you won't be able to use any commercially-issued certificate as they all will expire at some point.

If you have a critical service that has to have 100% uptime, you have a lot more problems than a certificate from Let's Encrypt and would have the redundancy that would make a certificate replacement easy to do.

fweno84 · January 12, 2016, 7:38pm

Well, the thing you are not seeing here is that - yes you are right that a Restart will always be needed. But the shorter is the certificate lifetime than more restarts you have. And that get worse if you have to many servers.

motoko · January 12, 2016, 8:12pm

Obviously, but given the usual timing of security updates, you’ll probably be having to restart a service or even the whole OS at least once a quarter (if not once a month). If you’re not doing that, you’re probably running with critical security issues. If that’s fine because it’s for internal use only, why aren’t you using your own private CA for certificate management then and why can it be accessed from the public net?

If you absolutely need 100% uptime, you’ll be having redundant servers, load balancing, failovers, etc. You can use that to replace the certificate across the machines in a serial manner without interrupting the entire service you’re providing. It should be the exact same process of rolling updates across your footprint.

danb35 · January 15, 2016, 12:29am

What crowd funding? What threats?

motoko · January 15, 2016, 1:24am

Google is also in the business of making sure that if their certificates or private keys are compromised or a security flaw is found that requires revoaction, they can expire as quickly as possible because browsers suck at checking for revoked certificates.

You did read the first post on this topic before launching into this fantasy, right? It's the one where one of the actual people behind the service talked about extended lifetimes. Also, where did this crowdfunding take place? I don't recall reading anything on that. Perhaps you're talking about the large sponsors expending money and personnel to support the ISRG?

You have proof of this, right? I mean, that's a pretty strong allegation. I'm also curious on what parts you feel are not secure, as LE doesn't see any private encryption keys for the certificates being issued.

Ah, you don't have any proof. You're just making up wild scenarios to fit your preconceived notions. May I posit that perhaps I am part of a shadowy cabal bent on destroying society via infecting the young minds of the world with anime and thus leading them to stop caring about procreation? It probably has about as much credibility as what you're posting.

Well, if you read the topic starter (and I suspect you haven't), it's a consideration. It may not happen during this public beta phase, but it may happen. The maximum they could offer ever is 39 months (or just over 3 years) because of the requirements of the CA/Browser Forum (see Section 6.3.2 of the Baseline Requirements). Deviating from the requirements is a good way to get removed from the trusted CA lists.

That's all public information as the ISRG, which runs Let's Encrypt, is a 501(c)(3) organization. Just contact the IRS and get the information on Form 990 or contact the ISRG itself and ask for a copy.

NOYB · January 15, 2016, 2:02am

No. This thread is not about consideration. It's a pink Flamingo.

pfg · January 15, 2016, 9:00am

Source? I can't think of a single paid Google product that's not a SaaS app. Cracking through date modification would only be viable for things that run client-side and don't require any online verification in order to be used. Seriously, you actually think Google is setting up a sock puppet CA just to prevent users from using cracked software? Instead of, like, just fixing their software license check to require online verification? Oh wow.

This is FUD.

danb35 · January 15, 2016, 11:55am

Aren't some versions of Sketchup paid? They run locally (though I have no idea what, if any, license verification is done). I'm loath to give any credibility to the tinfoil-hat crowd, but we should be correct.

pfg · January 15, 2016, 12:09pm

I believe they’re not owned by Google anymore. There might have been a paid version of Google Earth or something similar (Google Earth Pro?), but I don’t think they sell it anymore. It’s quite possible they have sold or are still selling some kind of offline-license-software that I’m not aware of, but I’d be surprised if that accounts for more than, say, 0.1% of their profit, so yeah, quite tinfoily indeed.

(That’s enough off-topic on that matter from my end )

My1 · January 15, 2016, 12:20pm

well I am tinfoil enough to use 16k bit rsa keys (but in the end it’s just a bit more than 256 bit symmetric)

but those 90 day certs are pretty annoying unless the automation is flawless (which it CERTAINLY isnt)
I have right now a part of StartSSL Certs and some from CACert (not really trusted but still better than selfsigned)
LE doesnt really run on windows without IIS, so the only way is manual mode on my raspi and with right now 14 domains (including all subs and aliases, well no thanks.

I would love to just set a DNS record or verify my whois address once every half eternity (or a year) for the main domains which should also apply to subdomains, put in a CSR and get my SAN cert.

Osiris · January 15, 2016, 12:23pm

Yet...