[tech] client certificate expiry
mbays at sdf.org
Fri Mar 26 18:54:48 GMT 2021
* Thursday, 2021-03-25 at 23:59 +0100 - almaember <almaember at disroot.org>:
>On Thu, 25 Mar 2021 23:44:59 +0100 mbays <mbays at sdf.org> wrote:
>> Does it make sense to give a self-signed client certificate an
>> expiration date? I think not, and therefore according to RFC5280
>> section 18.104.22.168, notAfter should be set to 9999-12-31 23:59.
>> => https://tools.ietf.org/html/rfc5280#section-22.214.171.124
>To me, it seems that certain clients (I haven't used all of them) allow
>the user to select an expiration date when generating the certificate.
>In my opinion, this is the best approach.
Under what circumstances would it make sense to set an expiration date?
What does it indicate? RFC5280 says "The certificate validity period is
the time interval during which the CA warrants that it will maintain
information about the status of the certificate.". With a self-signed
certificate there's no CA, so this seems to be meaningless.
>> notAfter time gives a way to fingerprint clients.
>That fingerprinting would be highly ineffective (can only detect the
>client used), and is nothing in comparison to the most important
>privacy risk right now, which is your IP.
Sure, but I don't think that means it isn't worth dealing with.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: not available
More information about the Gemini