356
Let's Encrypt Announces New-Certificate-Every-6-Days Offering
(letsencrypt.org)
This is a most excellent place for technology news and articles.
Don’t certs just create an ephemeral key pair that disappears after the session anyhow? What does cert validity period have to do with “This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.”
I mean, it’s LE so I’m sure they know what their talking about. But…?
I'm far from an expert on PKI, but isn't the keypair used for the cert used for key exchange? Then in theory, if that key was compromised, it could allow an adversary to be able to capture and decrypt full sessions.
No. Perfect Forward Secrecy (ephemeral keys) prevents this type of replay.
Time for a dive, thanks.
Although this only was added in TLS1.2 I think. I had to switch it on manually for my server.
I think it's default for TLS1.3.