先前提過 Let's Encrypt 要弄六天的版本 (參考「Let's Encrypt 要嘗試六天的 TLS certificate」),剛剛在 Lobsters 與 Hacker News 上都看到新消息了:「Announcing Six Day and IP Address Certificate Options in 2025」。
先前在想為什麼要推出六天的憑證?用 CRL 不夠好嗎?這次倒是給出個有趣的概念,之前沒想過這個方面:「因為有效期夠短,所以直接拿掉 revoke 機制」。
Our six-day certificates will not include OCSP or CRL URLs.
我以為 CA/Browser Forum 的 BR (Baseline Requirements for TLS Server Certificates) 強制要求 revoke 機制,不過翻資料的時候翻到這個:
4.9.1.1 Reasons for Revoking a Subscriber Certificate
The CA MAY support revocation of Short-lived Subscriber Certificates.
然後 short-lived 的定義目前是 10 天以下,明年三月會降到 7 天以下 (okay,所以 Let's Encrypt 弄了六天的設計):
Short-lived Subscriber Certificate: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).
看起來 CA/Browser Forum 對於 short-lived certificate 只用了 MAY 的要求,的確接受沒有 revoke 機制。
回到原來 Let's Encrypt 的說明,看起來二月會先測試 (內測?),再來是四月讓一些外部的人測試 (封測?),最後是年底前的 GA (公開上線):
We expect to issue the first valid short-lived certificates to ourselves in February of this year. Around April we will enable short-lived certificates for a small set of early adopting subscribers. We hope to make short-lived certificates generally available by the end of 2025.
另外一個是簽 IP address 的 TLS certficiate,看起來會是以 short-lived certificate 為前提計畫:
The earliest short-lived certificates we issue may not support IP addresses, but we intend to enable IP address support by the time short-lived certificates reach general availability.
這包看起來是將現有的 revoke 機制當作是 workaround,所以朝著拿掉 revoke 機制的設計走。當初 OCSP 的 stapling (以及 must stapling 機制) 沒有發揚光大有點可惜...