Removing expiry dates for TOFU

[Solderpunk]

On Mon Jul 6, 2020 at 4:35 PM CEST, Laurens Vets wrote:

> Also not that soon(-ish) Apple, Google & Mozilla browsers will _only_
> accept certificates with a valid lifetime of maximum 1 year effectively
> making this a "standard". While not necessarily relevant to Gemini
> directly, it's something to keep in mind.

Yes, the CA/Browser forum (https://cabforum.org/) is really pushing for
shorter certificate lifespans.  It makes a good amount of sense if you
buy into the whole CA system.  I think under a TOFU scheme the structure
of incentives and risks is pretty different.  At least in these early
days where there's no widespread agreement and implementation on ways to
rotate keys more regularly without training users to always click
through any warning they see, I think using longer lived certs has
definite upsides.

Cheers,
Solderpunk