That's a problem for the company, not the security of the Internet. Why do the PKI people take it upon themselves to increase the problems for these companies in order to force them to automate processes?
Reduced certificate expirations also enhances the security of the internet as it reduces the window of opportunity for nefarious uses. It could possibly reduce their number of support calls from someone who's taken over from a previous admin and is now faced with an undocumented manual process to replace certs in a hurry as their website has an expired cert.
Personally, I don't see the problem with short expiry dates, though less than a month would be too short in my opinion.
A window of opportunity of 45 days is not significantly different from one of 90 or 365 days. If it's the only protection you have from a leaked private key, then a while lot of people are gonna get MITMed.
But the argument I was replying to was saying that the main advantage of short expiration times is that it encourages companies to automate the process, which reduces the chance that the certificate is accidentally allowed to expire. This is not a security issue for anyone, least of all people using browsers.
Plus, this concept that short expiration times increase security is suspect at best. If the private key leaked, 45 days is far too long, you'd need to reduce this to hours to actually help as a revocation strategy. And even then, chances are that the new key will leak as well right away, as it's most likely that the key was stolen by some undetected malware. And if the key didn't leak, a two year old cert is just as secure as a two minute old one.
> This is not a security issue for anyone, least of all people using browsers.
I disagree. The smooth running and ease of automation of TLS certs benefits the entire ecosystem, including the end-users. Remember when the only sites that had TLS certs were the ones that could afford it?
> If the private key leaked, 45 days is far too long, you'd need to reduce this to hours to actually help as a revocation strategy.
This is a good example of the Nirvana Fallacy.
> And even then, chances are that the new key will leak as well right away, as it's most likely that the key was stolen by some undetected malware.
No certificate expiry control can protect against continuous, undetectable data exfiltration. Meanwhile, a one-time access that grants me the ability to impersonate you for 2 years is a significantly worse situation than one that only grants me that ability for a few weeks.
