This seems like a good idea.
Comment on Decreasing Certificate Lifetimes to 45 Days
cron@feddit.org 7 hours agoThe best approach for securing our CA system is the “certificate transparency log”. All issued certificates must be stored in separate, public location. Browsers do not accept certificates that are not there.
This makes it impossible for malicious actors to silently create certificates. They would leave traces.
Arghblarg@lemmy.ca 7 hours ago
cron@feddit.org 7 hours ago
The only disadvantage I see is that all my personal subdomains (e.g. immich.name.com and jellyfin) are forever stored in a public location. I wouldn’t call it a privacy nightmare, yet it isn’t optimal.
There are two workarounds:
- do not use public certificates
- use wildcard certificates only
Burnoutdv@feddit.org 6 hours ago
But how to automate wildcard certificate generation? That requires a change of the txt record and namecheap for instance got no mechanism for that to automatically happen on cert bot action
cron@feddit.org 5 hours ago
There are some nameserver providers that have an API.
When you register a domain, you can choose which nameserver you like. There are nameservers that work with certbot, choose one that does.
False@lemmy.world 4 hours ago
Isn’t this just CRL in reverse? Part of the point of cryptographically signing a cert is so you don’t have to do this if you trust the issuer.
cron@feddit.org 4 hours ago
No, these are completely separate issues.
This is just one example why we have certificate transparency. Revocation wouldn’t be useful if it isn’t even known which certificates need revocation.
Source
Auli@lemmy.ca 4 hours ago
Or the more likely a rouge certificate authority giving out certs it shouldn’t.