[Cryptography] SSL Certificates are expiring...
Stephen Farrell
stephen.farrell at cs.tcd.ie
Thu Feb 6 15:18:27 EST 2020
Hiya,
On 05/02/2020 12:36, Stephan Neuhaus wrote:
> I have been working with several IoT people and some solve this problem
> by issuing certs that expire in the year 9999 (i.e., never). Of course
> that solves the problem of the CA cert expiring, but on the other hand
> this is not how it was supposed to be.
Well, it kinda is how it was supposed to be though:-)
[1] says:
"To indicate that a certificate has no well-defined
expiration date, the notAfter SHOULD be assigned the
GeneralizedTime value of 99991231235959Z."
We added that for just this kind of reason.
But I also agree with you that X.509 based PKI doesn't
match the needs of lots of applications, but nonetheless
gets used by them, due to the lack of an alternative.
ISTM there's a chance to fix that with the upcoming
transition-to/integration-of PQ algs. Sadly though, a
whole bunch of people seem to still want to keep using
x.509 even then;-(
Cheers,
S.
[1] https://tools.ietf.org/html/rfc5280#section-4.1.2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x5AB2FAF17B172BEA.asc
Type: application/pgp-keys
Size: 10715 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200206/8fe48d4a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200206/8fe48d4a/attachment.sig>
More information about the cryptography
mailing list