On 2021-03-05 , Philip Linde wrote: > What is the motivation for ignoring CN? What is the motivation for using it? In a TOFU system the only real information that matters is the public key. > The client (according to the procedure you describe in your article) > will find the old cert in known_hosts in step 2., see that the served > certificate differs and consider the new certificate UNTRUSTED. That is > true regardless of whether you immediately replace the certificate or > wait until the old one has expired, unless the client *doen't* ignore > notBefore/notAfter and uses those dates to vacuum known_hosts to remove > expired certificates automatically (which is impossible given the store > format you currently recommend). The format I previously recommended stored the expiration date, and other clients might as well. Waiting to rotate is the most conservative choice which maximizes your compatibility with the most clients regardless of their adherence to these best practices. > Agreed. I think your article is a good starting point, but consider my > criticism above. I think your criticism only applies in a transitive sense, while the community is moving from one procedure to another, and should have little influence on any kind of proposed standard or guidelines.
---
Previous in thread (42 of 47): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)