https://letsencrypt.org/2025/12/02/from-90-to-45.html

thread: /4701

#CABForum #PKI #LetsEncrypt

Telegram 原文 [2/2]

SSL/TLS サーバー証明書における WHOIS 情報を利用したドメイン名使用権確認方法の廃止について #フィッシング対策協議会 (May 8)

#SSL証明書 #ドメイン認証 #WHOIS廃止 #フィッシング対策 #CABForum

www.antiphishing.jp/report/wg/ce...

Of course, people who haven't experience in this area will now be furiously responding that social media is entirely different etc. Only it really is not.

Very little in the CABForum guidelines relates to cryptography or X.509v3, those are the easy bits.

Blue Sky aren't exactly explaining how they are going about it. Seems that most of the accounts are being validated through periodicals journalists work for and such.

There is actually an organization that specializes in this type of concern, CABForum.

Journalists writing for a newspaper is easy - authenticate the newspaper. They usually have a better known brand and we have validation criteria for organizations, see CABForum EV guidelines.

The other problems are much harder because names are not as unique as people might expect for a start.

Ha. Perfect. So are we opening a naming contest for the CABForum analog yet?

@fugueish.bsky.social suggested TVATPBV Forum when I was joking about is earlier

Certs will have 47 days of validity by 2029. lengths get shorter from march 2026. Reuse domain val material will be 10 days.

this is diff to very short validity certs that can be issued now. Lets Encrypt will offer 6 day certs by end of yr
#tls #certificates
github.com/cabforum/ser...

#cabforum passed SC-081v3 to shorten public #tls cerficiate validity to a eventual 47 days, creating a market for new jobs like "certificate renew specialist" and "technican for certificate error ignoring".

This also brings light to a world of easier phishing cuz... you know, people don't get […]

There are two sets of *existing* criteria that would be applicable to verifying names: The CABForum EV criteria for organizations and the EU Qualified Certificates for people.

My proposal is that every name has a canonical form and a presentation form.

3/

So there are two parts to issue of a TLS certificate for the devices. First there is a personal PKIX CA operated on behalf of the user at whatever degree of security is appropriate, Second there is a public CA that issues cross certificates to users under a non-CABForum CA.

おっと、これは知らなかった。Googleは90日への短縮を提案 www.chromium.org/Home/chromiu... していて、Appleは45日への短縮を提案 github.com/cabforum/ser... しているのね。どっちにしても、自社でウェブサーバを管理しているような弱小独立事業者はとっとと退場しろ、と言いたいのだろうなあ。あまりにも乱暴な意見だと思うけど…
さて、某大学の場合、大多数のウェブサーバはLet's Encryptを使っているので対応可能ですが、UPKIから取得した証明書を使って手動で管理している一部サーバとネットワーク機器が問題になりそう。やれやれ。

Really, Apple? Reducing the lifespan of TLS to 10 days is the threat mitigation we need? Sure, you'll force automation in TLS key management, but I can't see the cost / benefit justification for that. #infosec

github.com/cabforum/ser...

The comments on github.com/cabforum/ser... is like a cavalcade of bad takes

Nova proposta para reduzir validade máxima de certificados SSL para 45 dias até 2027 🚨

github.com/cabforum/...

Nova proposta para reduzir validade máxima de certificados SSL para 45 dias até 2027 🚨

https://github.com/cabforum/servercert/pull/553