TLS Expiration Times aren't Cloud Native

[benr]

cnspec-policies/core/mondoo-tls-security.mql.yaml

Line 88 in ce33e0b

case tls.certificates.first.expiresIn.days > 150: score(100);

The TLS Baseline policy specifes the following scores for ages:

        case tls.certificates.first.expiresIn.days > 150: score(100);
        case tls.certificates.first.expiresIn.days > 120: score(70);
        case tls.certificates.first.expiresIn.days > 90: score(50);
        case tls.certificates.first.expiresIn.days > 60: score(20);
        case tls.certificates.first.expiresIn.days > 30: score(9);
        default: score(0);

These expiration assume a traditional PKI with 1year or longer certificate lifecycles which aren't common any longer. Thanks to cloud certificate managers, such as Google Cert Manager and Lets Encrypt use a 90 day certificate which is renewed at the 30 day mark, see:

• https://letsencrypt.org/2015/11/09/why-90-days.html
• https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

"Google Cloud provisions managed certificates valid for 90 days. About one month before expiry, the process to renew your certificate automatically begins."

Therefore I propose a new scheme:

        case tls.certificates.first.expiresIn.days > 30: score(100);
        case tls.certificates.first.expiresIn.days > 21: score(50);
        case tls.certificates.first.expiresIn.days > 7: score(20);
        case tls.certificates.first.expiresIn.days > 7: score(9);
        default: score(0);

[benr]

@atomic111 I'd value your input on this proposal.

[atomic111]

@benr good point. i will update it