Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It would be nice if you included the financial motivation in the article as well. Makes total sense, and I totally agree that 7 day certs are better (security wise) than 1 year, I just wasn't sure that in the absence of any financial motivation whether it would be worth the effort (having to roll private keys every week) for the limited protection it gives you.


You eventually have to roll over keys at least once every N years, so if you are automating it, the length of time doesn't really matter.

In this case, they are just limiting the window.


Indeed, we were going to do the auto-renewal regardless, so making it every 7 days didn't really add any work.

Meanwhile I really am paranoid about long-lived keys of any sort, especially if they need to be online as TLS keys must. I wish CAs offered short-lived keys more readily (and web infrastructure supported it); I'd love to enable them for all Sandstorm properties.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: