Sysadmin

I still think this is all pointless and just puts extra strain on the infrastructure needed to create the certs. The chances of a successful MITM attack are very very small. Places like Let’s Encrypt and the like have done way more for security by making cert creation more automated than shortening these certs lifespans. The bigger problem is self signed certs, expired certs, and/or certs based on weak/outdated protocols. The only thing this is going to accomplish is a general acceptance of slack security practices. Want proof. Go look at any office that requires too frequent password changes with asinine complex password rules and you’ll find many many more passwords written on sticky notes or passwords that do silly things like incrementing a number on the end or something similar.

In my opinion, this whole thing is putting a bandaid on a bullet wound. If you want to fix the issues, make the certs more secure not shorter lived, create better revocation processes, and automate the hell out of everything.