Exactly this. The CA/B forum (who make rules about TLS certificates that all the providers follow) are actively trying to reduce certificate validity periods. 2-3 years ago, they reduced the maximum duration for TLS certificates to 13 months. It’s likely they’ll go even lower in the future.
My understanding is that they want the entire industry to move towards a Let’s Encrypt style system where renewal is fully automated and thus there’s minimal overhead to renewing more frequently. We’re not quite there yet.
FrederikNJS@lemm.ee 1 year ago
While shorter lived certs certainly improve the general security, certificate revocation lists are what you need if a cert gets compromised.
dauerstaender@feddit.de 1 year ago
They don’t work in practice, no modern browser actively queries any revocation DBs. It’s just much more efficient to let something expire sooner than keep track of all lost somethings.