The one I’ve heard of is Igalia

https://www.igalia.com/

Are you on the Netbird dev team? :)

AFAICT you and 'ysleepy are in agreement.

We are, wireguard needs O(N) updates to add a node to every other node.

Very cool project!

There is a solution for smoothing out the traffic: RFC 9733, ACME Renewal Information (ARI) Extension

https://datatracker.ietf.org/doc/rfc9773/

That only addresses half the problem and is just a suggestion vs something clients can't ignore.

If I would use short-lived certs I would make sure to choose an ACME client that has support for ARI (ACME Renewal Information). Then the CA will tell the client when it’s time to renew.

There’s also the DNS-01 challenge that works well for devices on private networks.

It’s capped to 15 years.

In another comment someone linked to a document from the Chrome team.

Here’s a quote that I found interesting:

“In Chrome Root Program Policy 1.5, we landed changes that set a maximum ‘term-limit’ (i.e., period of inclusion) for root CA certificates included in the Chrome Root Store to 15 years.

While we still prefer a more agile approach, and may again explore this in the future, we encourage CA Owners to explore how they can adopt more frequent root rotation.”

https://googlechrome.github.io/chromerootprogram/moving-forw...

It’ll be 5 years soon.

Would be cool. But since they’re a non-profit, they would need some way to make it scalable.

I see no problem with outsourcing id verification to a trusted partner. Or they could verify payment by charging you $1 to verify you control the payment card, and combine that with address verification by paper-mailing a verification code.

Then you might as well get rid of TLS altogether.

You'd still want in transit encryption. There are other methods than centralized trust like fingerprinting to detect forgeries.

Haven’t seen any such system that scales to billions of user.