I?ve said this before, and I feel more and more confident in this position: Expiry dates in general and CA issued certs in particular really do not mix well with TOFU. When a cert expires a window for MitMA is opened. When this happens every 30-60 days it becomes quite ridiculous. An SSH hostkey has no expiration date; neither should certificates in geminispace (or at the very least we shouldn?t care about it). I even go further and claim that neither Common Name nor Subject Alternative Names matter either. With a self-signed certificate these are as easily forged as any other fields. I know a lot of people disagree with me here, but I have yet to see an argument that can convince me that CN, SAN, not-valid-before or not-valid-after have any bearing on the security of the certificate or give me as a user any information that helps me make a safe decision. All of these fields are crucial in a CA validation scheme, but only add a false sense of security in TOFU. As for the specific question: a crawler has no way to make useful decisions about the security of the certificate. It should just not try. Cheers, ew0k (Also: ??? Ho ho ho! Merry Christmas, everyone!)
---
Previous in thread (2 of 4): 🗣️ colecmac (a) protonmail.com (colecmac (a) protonmail.com)
Next in thread (4 of 4): 🗣️ nervuri (nervuri (a) disroot.org)