Short lived certificate

Posted Aug 26, 2025 17:40 UTC (Tue) by NYKevin (subscriber, #129325)
In reply to: Short lived certificate by NYKevin
Parent article: Linux's missing CRL infrastructure

Actually, I'm mistaken. The truth is that it's much harder in IPv6, because most consumer devices automatically rotate their addresses frequently, and you have to turn this off separately on each device. This is (probably?) done even on a ULA prefix. In principle the privacy risks of a stable ULA are far lower than the privacy risks of a stable "regular" address (ULAs are not generally routable on the public internet, similar to RFC 1918 addresses in IPv4). But there might be situations where a ULA could be leaked even if it is not used for public addressing, so probably they ought to rotate by default too.

Short lived certificate

Posted Aug 26, 2025 20:00 UTC (Tue) by eythian (subscriber, #86862) [Link]

They shouldn't. They should have a fixed address, as you described, that can be used for incoming connections. Then besides that, they should also have the "privacy" address that rotates that is used for outgoing connections.

This said, when I've set up Linux servers on my network, privacy extensions are disabled by default, but when I connect a desktop, they're enabled. I'm not sure what does this switch.

There may be exceptions, I've been learning IPv6 lately but it's still not up to my decades of absorbed IPv4 knowledge.