14-Mar-2023 09:30
Just spotted this article, Google limiting TLS certificate validity to 90 days.
14-Mar-2023 10:22
They do this. When you have that much browser marketshare, standards are suggestions. Member when Chrome quietly dropped secp521r1 and broke a TON of internal CAs? It might not have been in any NIST recommended ciphers but damn, it doesn't mean it's not in use.
The issue with this is for internal and CA's that might not be fully automated now have to drop other balls to make sure that users using Chrome don't go high and dry.
I get it, I get the need, but it's akin to forcing longer passwords. Benefit to practical risk of not having 90 day certs?
Discuss.