Key bit:<p>> but we are going to introduce a new offering that’s a big shift from anything we’ve done before - short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.
On a side note, I've had fun playing with something like this with Caddy and StepCA and bind running in a homelab. I've managed to, using the rfc2136 plugin, managed to rotate certs every ten minutes.<p>Every six days is fine, just use something like Caddy that rotates the certs for you and it should just be set it and forget it.<p>Yes, I realize this is a bit glib.
Prossimo: That would be rustls, a project that bypassed openssl in every aspect by now. Really everybody should switch over.<p><a href="https://www.memorysafety.org/initiative/rustls/" rel="nofollow">https://www.memorysafety.org/initiative/rustls/</a>