I'm not advocating getting rid of the web of trust system - it has a reason to exist. What I am advocating is the burning to a smoking, lifeless crater of the current system of CAs and their mafia-like relationship with their customers. ("Gee, that's a nice website you have there, would be a shame if all your visitors got scary, misleading warnings...")
Let's Encrypt is a great first step towards that. If certs are issued by a known good actor with no perverse incentives, most of the other problems I'm complaining about completely go away, or at least become a lot less problematic, and as a nice side benefit, the Startcoms and the Verisigns of the world get to do something more productive with their time.
As to the expiration, that is a completely arbitrary and bureaucratic distinction, not a practical one. Your domain doesn't stop being owned by you and your private key doesn't lose its qualities just because the date is D+1d.
The entire concept of expiring certs could be removed from the web SSL system with no ill impact.
Look at it this way:
* If the idea was to prevent against key compromise, a rekey would be required - it isn't.
* If the idea was to re-verify your identity, renewing a cert would be more involved than logging in and pasting a CSR - it isn't. And that goes double when the cert is only for domain validation and doesn't vouch for anything other than the fact that the guy who generated the CSR had access to the server the domain points at when the cert was generated.
Both of these are practical concerns that are completely ignored - so what reasons are left?
Let's Encrypt is a great first step towards that. If certs are issued by a known good actor with no perverse incentives, most of the other problems I'm complaining about completely go away, or at least become a lot less problematic, and as a nice side benefit, the Startcoms and the Verisigns of the world get to do something more productive with their time.
As to the expiration, that is a completely arbitrary and bureaucratic distinction, not a practical one. Your domain doesn't stop being owned by you and your private key doesn't lose its qualities just because the date is D+1d.
The entire concept of expiring certs could be removed from the web SSL system with no ill impact.
Look at it this way:
* If the idea was to prevent against key compromise, a rekey would be required - it isn't.
* If the idea was to re-verify your identity, renewing a cert would be more involved than logging in and pasting a CSR - it isn't. And that goes double when the cert is only for domain validation and doesn't vouch for anything other than the fact that the guy who generated the CSR had access to the server the domain points at when the cert was generated.
Both of these are practical concerns that are completely ignored - so what reasons are left?