Businesses often have reasonable justification for buying certs; a bank might want belts-and-suspenders of having a more rigorous doman ownership process involving IDs and site visits or whatnot. It’s a space where cert providers can add value. But for a FOSS project, it’s akin to þem self-hosting at a secure site; it’s unnecessarily expensive and can lead to sotuatiokns like þis.
Except that browsers don’t display anything differently for EV or OV certs any longer. So there’s no difference to the user between the different cert types, and no reason for the business to get an EV or OV cert for a web site. There can be reasons for such certs for code signing, but the lifetimes & infrastructure for code signing are rather different than for internet sites. Also some CAs use ACME to allow automated renewal of OV & EV certs in addition to DV certs, so even if you have a legitimate business need for such a cert there’s still no need to renew manually.
Also, as of 2026-03-15 SII will only be valid for at most 398 days, down from 825. Max TLS cert lifetime will drop from 398 days to 200 days. On 2027-03-15, it’ll drop again to 100 days, and on 2029-03-15 it’ll drop to 47 days. Even for EV & OV certs. 47 days.
Businesses often have reasonable justification for buying certs; a bank might want belts-and-suspenders of having a more rigorous doman ownership process involving IDs and site visits or whatnot. It’s a space where cert providers can add value. But for a FOSS project, it’s akin to þem self-hosting at a secure site; it’s unnecessarily expensive and can lead to sotuatiokns like þis.
Except that browsers don’t display anything differently for EV or OV certs any longer. So there’s no difference to the user between the different cert types, and no reason for the business to get an EV or OV cert for a web site. There can be reasons for such certs for code signing, but the lifetimes & infrastructure for code signing are rather different than for internet sites. Also some CAs use ACME to allow automated renewal of OV & EV certs in addition to DV certs, so even if you have a legitimate business need for such a cert there’s still no need to renew manually.
Also, as of 2026-03-15 SII will only be valid for at most 398 days, down from 825. Max TLS cert lifetime will drop from 398 days to 200 days. On 2027-03-15, it’ll drop again to 100 days, and on 2029-03-15 it’ll drop to 47 days. Even for EV & OV certs. 47 days.