Hacker News new | past | comments | ask | show | jobs | submit login

It is an interesting side effect of the tenancy of software developers these days that any process that requires action on a > 2 year interval is likely to fail, if the cycle is 5 years or more it will always fail.

The turnover insures that nobody in the department was there when the process was started/last interacted with, and so it is off the collective organizational radar so to speak.




This is why Let's Encrypt has a short cycle.


Not really. The short (90 day) Let's Encrypt expiry is intended to promote automation because it's annoying to do so many renewals by hand, and is also a reflection of the relatively short lifetimes of most Internet names.

Historically it was common to issue 3 year certs, and five year certs weren't rare (until 2015). But whilst it's reasonable to expect microsoft.com or bbc.co.uk belonging to the same outfit in five years, it's hard to be as sure about say jsnes.org (currently a Javascript NES emulator) or catandgirl.com (a web comic by Dorothy Gambrell) which might well entertain offers from somebody else who wanted those names.

The underlying domain name is typically on an annual renewal cycle with perhaps just 14 days grace if you stop paying, and individual FQDNs might have even shorter turnaround. With a five year certificate this means you could buy a certificate the day before your renewal payment is due, and then still have an apparently good, working certificate for that name five years later when it's owned by somebody else entirely who has no idea you once owned that name. Not great. Let's Encrypt's renewal cycle closes this gap considerably. The BRs were also amended, the limit is now 825 days instead of 39 months or (originally) 60 months.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: