TOFU, OK, but even with an expired certificate?

colecmac at protonmail.com colecmac at protonmail.com
Mon Dec 7 14:07:11 GMT 2020

Previous message (by thread): TOFU, OK, but even with an expired certificate?
Next message (by thread): [ANN] Geminiserver ASM
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday, December 7, 2020 1:48 AM, Björn Wärmedal <bjorn.warmedal at gmail.com> wrote:

> On Sun, 6 Dec 2020 at 18:25, colecmac at protonmail.com wrote:
>
> > It is indeed expired and should be rejected, as you saw with gnutls and
> > Amfora.
>
> I disagree with makeworld on this.

The advantage of having expiry dates is that if the server admin
loses the key, or their hardware, or something like that, they know
that clients will accept the new cert after a  certain period of time,
with no issues or scary warnings. Now, I know that this becomes a bit
counter-intuitive when certs expire 5 years in the future, but I still
think it's a good quality to have.

makeworld

Previous message (by thread): TOFU, OK, but even with an expired certificate?
Next message (by thread): [ANN] Geminiserver ASM
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list