Removing expiry dates for TOFU

Laurens Vets laurens at daemon.be
Mon Jul 6 15:35:32 BST 2020

Previous message (by thread): Removing expiry dates for TOFU
Next message (by thread): Removing expiry dates for TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-07-05 15:18, colecmac at protonmail.com wrote:
> 5 year certs sound like a good compromise to me. We can make client
> messages sufficiently scary, seeing as a five year expiry will make
> TOFU issue somewhat rare. Will you set that as a default for your
> cert tool then?
> 
> Do you agree with my original recommendation that clients should
> auto-accept any cert once the old one has expired? This seems relevant
> here. I think it's nice for UX, although I see the obvious security 
> risk.

Also not that soon(-ish) Apple, Google & Mozilla browsers will _only_ 
accept certificates with a valid lifetime of maximum 1 year effectively 
making this a "standard". While not necessarily relevant to Gemini 
directly, it's something to keep in mind.

Previous message (by thread): Removing expiry dates for TOFU
Next message (by thread): Removing expiry dates for TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list