Removing expiry dates for TOFU

[colecmac at protonmail.com]

Good to hear, thanks! Now we just have to get all the servers
to switch over...

makeworld

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, July 6, 2020 8:55 AM, Solderpunk <solderpunk at posteo.net> wrote:

> On Mon Jul 6, 2020 at 12:18 AM CEST, wrote:
>
> > 5 year certs sound like a good compromise to me. We can make client
> > messages sufficiently scary, seeing as a five year expiry will make
> > TOFU issue somewhat rare. Will you set that as a default for your
> > cert tool then?
>
> Maybe! ;) Ido plan to finally start work on that tool this week, by
> the way.
>
> Hopefully by 2025 we'll have agreed on a way to do smooth roll-overs
> which is widely implemented! If that does happen, and it's easily
> automated (which I'd very much like it to be), maybe we can start
> shifting towards less long-lived keys/certs for a extra peace of mind.
>
> > Do you agree with my original recommendation that clients should
> > auto-accept any cert once the old one has expired? This seems relevant
> > here. I think it's nice for UX, although I see the obvious security
> > risk.
>
> In the absence of any other roll-over mechanism, yeah, this seems like
> sane behaviour for a TOFU client.
>
> Cheers,
> Solderpunk