💾 Archived View for rawtext.club › ~sloum › geminilist › 002090.gmi captured on 2020-09-24 at 03:22:09. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

<-- back to the mailing list

Removing expiry dates for TOFU

Solderpunk solderpunk at posteo.net

Mon Jul 6 13:55:36 BST 2020

- - - - - - - - - - - - - - - - - - - 

On Mon Jul 6, 2020 at 12:18 AM CEST, wrote:

5 year certs sound like a good compromise to me. We can make client
messages sufficiently scary, seeing as a five year expiry will make
TOFU issue somewhat rare. Will you set that as a default for your
cert tool then?

Maybe! ;) I *do* plan to finally start work on that tool this week, bythe way.

Hopefully by 2025 we'll have agreed on a way to do smooth roll-overswhich is widely implemented! If that does happen, and it's easilyautomated (which I'd very much like it to be), maybe we can startshifting towards less long-lived keys/certs for a extra peace of mind.

Do you agree with my original recommendation that clients should
auto-accept any cert once the old one has expired? This seems relevant
here. I think it's nice for UX, although I see the obvious security
risk.

In the absence of any other roll-over mechanism, yeah, this seems likesane behaviour for a TOFU client.

Cheers,Solderpunk