Documentation about certificate lifetimes and rationale #1993
Conversation
|
Asking for content review first, once we're happy with that I'll commit all the other language files for this. That'll keep the diff UI here cleaner during content review. |
There was a problem hiding this comment.
Content generally LGTM, especially the justifications around why we offer the lifetimes that we do. Some of the more factual information seems redundant with what's already explained on the Profiles page (https://letsencrypt.org/docs/profiles/), so we should at the very least link to that, if not replace some of this language with just a link to that to prevent duplication.
|
Another benefit is that shorter lifetimes limit the damage from properly-issued certificates whose contents become incorrect during their lifetimes. For DV, that's largely the case of "control of the underlying subject identifier changed". For other forms of certificates that Let's Encrypt doesn't issue it could be that some other detail about the subject changed. A real-world offline example for me is that I had an internship in college and was issued an employee ID with no expiration date. As a result, I used my (unexpired!) employee ID a couple of times after my internship had ended to visit the employer's campus again and enjoy the nice view there. The ID document was no longer accurate, in the sense that the employee relationship it described no longer existed. I didn't do anything harmful or malicious to my former employer or its premises, but their security policy would probably have preferred that former interns be more readily distinguished from current interns! |
Resolves #1214