I don't see the benefit of reducing the lifespan of these certificates. In a world where everyone could use let's encrypt it makes sense, but that's not realistic for every company. I don't think it's worth the trouble.
The linked article explains how longer certificate validity times cause issues when compromised certificates aren't revoked (as they often aren't). Limiting the lifespan of certificates reduces the potential fallout.
If your infrastructure is complicated enough to make let's encrypt non viable then you're large enough that a certificate renewal period of a year isn't that onerous to begin with. If anything at that point having multi-year long renewal periods just leads to more of a headache when it inevitably gets forgotten about since it's such an infrequent task.
[+] [-] cryptonector|6 years ago|reply
That will force operations to run tip-top. It will force much TLS software to learn to reload certificates automatically.
Most critically, it will mean not needing CRLs or OCSP.
[+] [-] OrgNet|6 years ago|reply
[+] [-] gen3|6 years ago|reply
[+] [-] CydeWeys|6 years ago|reply
[+] [-] MertsA|6 years ago|reply
[+] [-] quotemstr|6 years ago|reply
[+] [-] jazzyjackson|6 years ago|reply
[+] [-] OrgNet|6 years ago|reply