On certificates and validation

[Drew DeVault]

On Thu Nov 26, 2020 at 6:02 AM EST, Björn Wärmedal wrote:
> > Ssh doesn't expire its keys, and isn't worse for that.
>
> This is the analogue I was looking for. SSH doesn't care about Common
> Name or other cruft in the cert, either.

We use TLS, not SSH.

> I agree that some sort of sanity check is nice, but at the same time I
> have trouble finding a philosophical or practical reason for doing any
> sort of validation on first use, and any beyond "same as last time" on
> subsequent visits.
>
> Yes, Drew says I should. But are there any arguments supporting that
> position?

These are configurable parameters. If they are configured incorrectly,
then we should reject the certificate. Someone may have configured them
with an expiration, for example, by design, knowing that their server
would soon disappear, and that certificate reuse signals that something
stinky is going on. Or the common name could be set because the admin
has chosen to set up their own certificate authority, perhaps complete
with signed client-side certificates, and the common name is used to
strongly identify the server.

Consider that the stakes are leaking your user's private information and
do your goddamn job as a responsible steward of their needs.