[tech] client certificate expiry

mbays mbays at sdf.org
Fri Mar 26 18:54:48 GMT 2021


* Thursday, 2021-03-25 at 23:59 +0100 - almaember <almaember at disroot.org>:

>On Thu, 25 Mar 2021 23:44:59 +0100 mbays <mbays at sdf.org> wrote:
>
>> Does it make sense to give a self-signed client certificate an
>> expiration date? I think not, and therefore according to RFC5280
>> section 4.1.2.5, notAfter should be set to 9999-12-31 23:59.
>> => https://tools.ietf.org/html/rfc5280#section-4.1.2.5
>
>To me, it seems that certain clients (I haven't used all of them) allow
>the user to select an expiration date when generating the certificate.
>In my opinion, this is the best approach.

Under what circumstances would it make sense to set an expiration date? 
What does it indicate? RFC5280 says "The certificate validity period is 
the time interval during which the CA warrants that it will maintain 
information about the status of the certificate.". With a self-signed 
certificate there's no CA, so this seems to be meaningless.

>> notAfter time gives a way to fingerprint clients.
>That fingerprinting would be highly ineffective (can only detect the
>client used), and is nothing in comparison to the most important
>privacy risk right now, which is your IP.

Sure, but I don't think that means it isn't worth dealing with.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210326/25e598ae/attachment.sig>


More information about the Gemini mailing list