Hello gemheads, Amfora recently got some basic client cert support, and it has me wondering: What to do about expiry dates? Should servers not care if client certs expire? Should clients and users be generating certs that last for 100 years? I'm not sure what the best practice is, but I want to get it right. It seems to me that while having an expiry date on client certs might be useful for security, it will become a UX problem a few years down the line, when apps need to have some way to associate a new cert with the same previous account. On the other hand, if a cert gets compromised and never expires, the server then needs to have some sort of revocation mechanism I guess. It seems to me the former is a more prominent issue. makeworld
---