[Moderator’s note: If you would like to express your support for longer certificate lifetimes, please ‘like’ () this thread rather than posting a +1 comment, per Community Guidlines].
Let’s Encrypt certificates currently have a ninety-day lifetime. Web standards do not require any minimum certificate lifetime. As of 2015, the Baseline Requirements specify a maximum certificate lifetime of 39 months.
The Technical Advisory Board, chose a 90-day certificate lifetime to start with, with an expectation that people will want to auto-renew at the 60-day mark. As with most decisions, it’s possible that the TAB could recommend otherwise in the future: If so, it would be based on balancing pros and cons, and looking at whether the current approach is working well.
In this thread, let’s build a list of concrete pros and cons of a 90-day ceiling on certificate lifetimes. I’ve tried to summarize the salient, non-rebutted points from the earlier thread.
- When an attacker compromises a certificate’s private key, they may bypass revocation checks and use that certificate until it expires. Shorter lifetimes decrease the compromise window in situations like Heartbleed.
- Offering free certificates with a shorter lifetime provides encouragement for operators to automate issuance. Automated issuance decreases accidental expiration, which in turn may reduce warning-blindness in end-users.
- Let’s Encrypt’s total capacity is bound by its OCSP signing capacity, and LE is required to sign OCSP responses for each certificate until it expires. Shorter expiry period means less overhead for certificates that were issued and then discarded, which in turn means higher total issuance capacity.
- Automated issuance is not yet supported in lots of popular web servers (Azure and IIS in particular).
- Common non-HTTPS servers (IRC, mail, VPN) may require a restart to load new certificates. Ninety-day certs mean six server restarts per year instead of one, interrupting long-lived connections more frequently.
- Automated deployment of renewed certificates to routers, firewalls, and Internet of Things devices is difficult.
- Some operators choose not to run any automated renewal software on their servers. Manually renewing every 60 days is burdensome.
- More frequent renewals increase the chance that a renewal may fail repeatedly for 30 days while an operator is unavailable, leading to an outage.
- The official client’s renewal implementation still needs work.
- Some people consider encouraging automated issuance and renewal to be scope creep for Let’s Encrypt.
Add your own pros and cons below. As always, please follow the Community Guidelines: be kind, stay on topic, and provide useful feedback. An example of useful feedback: “ISO standard 1337 prohibits unattended server config reloads, and 10,000 websites representing 1M monthly visits are subject to those requirements.” An example of unuseful feedback: “I refuse to use 90-day certificates” or “I agree” (please ‘like’ the thread instead). Examples of inappropriate feedback: “Anyone who uses unattended server reloads is an idiot.”