14Nis
What is the purpose of frequently rotating TLS certificates without changing underlying keys?
I read in the OWASP cheat sheet regarding certificate / public-key pinning that “Google rotates its certificates … about once a month … [but] the underlying public keys … remain static”.
Increasing the frequency of key rotation makes sense to me in that, should a key be compromised without detection, the time frame for ongoing damages is reduced.
What is the benefit of rotating certificates so frequently? Is it to allow them to use SHA1 (for old-browser compatibility) whilst limiting an adversary's scope for finding a matching signature? Or is there something else that I'm missing?
