On Thu, 25 Mar 2021 23:44:59 +0100 mbays <mbays@sdf.org> wrote: > Does it make sense to give a self-signed client certificate an > expiration date? I think not, and therefore according to RFC5280 > section 4.1.2.5, notAfter should be set to 9999-12-31 23:59. > => https://tools.ietf.org/html/rfc5280#section-4.1.2.5 To me, it seems that certain clients (I haven't used all of them) allow the user to select an expiration date when generating the certificate. In my opinion, this is the best approach. But clients should default to never-expiring certifications. > The same goes for self-signed server certificates, but I mention this > in the context of client certs because the notAfter time gives a way > to fingerprint clients. So it would be good for clients which > generate client certs to agree on this. That fingerprinting would be highly ineffective (can only detect the client used), and is nothing in comparison to the most important privacy risk right now, which is your IP. ~almaember
---
Previous in thread (1 of 5): 🗣️ mbays (mbays (a) sdf.org)