On certificates and validation

marc marcx2 at welz.org.za
Wed Nov 25 15:22:36 GMT 2020

Previous message (by thread): On certificates and validation
Next message (by thread): On certificates and validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I strongly recommend not checking for CA-signed certificates, and only
> supporting TOFU.

+1

However, an observation: If one goes for TOFU, please
make the key expiry times decades or even centuries long.

The expiry date is the point at which a man in the middle
attack is certain to work [*] - the weakness of TOFU. This is a
much graver concern than a hypothetical key compromise or
similar.

My cynical view is that expiration dates were added to
guarantee certification authorities a steady revenue
stream.

Ssh doesn't expire its keys, and isn't worse for that.

[*] If you can use the old key to validate the new one, then this 
is a different matter.

regards

marc

Previous message (by thread): On certificates and validation
Next message (by thread): On certificates and validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list