The Linux Foundation's Certificate Authority (CA) Significantly and Suspiciously Raises the Number of Certificates It Issues (Quantity Increase/Inflation) by Lessening Their Lifetime in the Name of 'Security' (That Barely Makes Sense!)
Seeing what sort of companies sponsor this, obviously for their own financial gain, do you trust them and can you trust their CA? A lot of it got outsourced to Microsoft (proprietary, CSO a two-decades-long NSA veteran).
WE do not want to rush to judgement here and we're still assessing the situation to avoid barking up the wrong tree. So far we've discussed this internally and sought some takes from real security experts (mostly contentless), not posers and pretenders in the pockets of the Linux Foundation et al.
From what we can gather, based on the original statement and some punditry, Let's Encrypt (LE) has decided to mention 6 days (about a week) for certificates' rotation. I'm old enough to remember - pardon the pun! - certificates lasting a year (if not longer) "as standard" (they were not free either, so longevity mattered; those were an artificial scarcity, gardened suitably for a fee). Then that become 6 months. Then LE made 3 months the "standard" for most, soon to become just 6 days instead of 6 months? What does that mean to server administrators such as us? We used to discuss this with FFII, which shared our concerns and said that this rotation was mostly a headache, inevitably inducing unfortunate downtimes (especially for small, grassroots operations online). Can one even go on holiday without getting some frantic phonecall about expired certificates? Cui bono? To us activists, 24/7 coverage does not exist or seldom exists. We're not Amazon. Even GAFAM occasionally has incidents like these, so what hope is there for the rest of us? Years ago it happened to the Linux Foundation with Citrix/Xen. People were enraged. How many incidents need we observe as cautionary tales? I saw a lot of that in my prior job (they need 'certificates swapping butlers', who groom small binary files instead of getting "real work" done).
So the main question we ask is, does that worsen things for "small voices"? Does this make it hard for 'amateur' sites to be visible and accessible at all times? Probably. An associate has explained that "the browser certificate infrastructure is a complete farce because of how it is arranged." We explained this many times in the context of Geminispace, where LE is becoming almost extinct (only about 0.5% of active Gemini capsules still use it).
Factors worth thinking about: Is some ulterior motive possible? And if so, which? Or whose?
Who stands to benefit from it?
"It may make fly-by substitutions less noticeable," the associate hypothesised. But my thought was, in practice revoking certificates has long been possible and it happened before (even millions at the time; it's already possible and it already happened some years ago).
LE isn't to be trusted. They are MitM (Man-in-the-Middle) no matter how long for the certificates may last. Will 6 days become 6 hours in the future? Remember that if rotation happens every hour, this is what happens. "It creates a lot of churn," the associate opined, "to be sure. One of the big questions would be which groups and activities would benefit from such terrible churn."
For now we assume no smoke, probably no fire. We're only asking questions. If you have some other ideas, let us know, e.g. in IRC. We're still developing (or gradually formulating) a more formal stance on that matter.
Remember who controls LE. Be sure to check the sponsors' list. It's quite revealing. █