[Cryptography] Revocation is an Authorization issue
Kevin W. Wall
kevin.w.wall at gmail.com
Sun Aug 22 12:53:48 EDT 2021
On Sat, Aug 21, 2021, 10:57 PM Ray Dillinger <bear at sonic.net> wrote:
> Renewing an expired cert is mainly an afterthought now, even for
"serious" businesses. If revocation were a real thing that could matter to
anyone, an expired or revoked cert should and would literally and
absolutely shut your entire website down. If it happened to a "serious"
company it would be a six-alarm emergency that costs people careers.
That's not quite 100% accurate. A big exception is X.509 certs used with
TLS connections over HTTP for web services. Those are generally called
either machine-to-machine or via AJAX or directly via a native mobile app,
and therefore out of reach of the casual user being able to accept the
expired certificate. And an expired certificate in those cases on the
server will break the intended use case as the https connection will fail.
That's just how most of the HttpClient software libraries work in those
cases.
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
| OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210822/7e27709a/attachment.htm>
More information about the cryptography
mailing list