[tech] client certificate expiry

mbays mbays at sdf.org
Thu Mar 25 22:44:59 GMT 2021


Does it make sense to give a self-signed client certificate an 
expiration date? I think not, and therefore according to RFC5280 section 
4.1.2.5, notAfter should be set to 9999-12-31 23:59.
=> https://tools.ietf.org/html/rfc5280#section-4.1.2.5

The same goes for self-signed server certificates, but I mention this in 
the context of client certs because the notAfter time gives a way to 
fingerprint clients. So it would be good for clients which generate 
client certs to agree on this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210325/d864cb62/attachment.sig>


More information about the Gemini mailing list