|
|
Subscribe / Log in / New account

Expired Certificates

Expired Certificates

Posted Sep 23, 2018 13:43 UTC (Sun) by rweikusat2 (subscriber, #117920)
In reply to: Time namespaces by amarao
Parent article: Time namespaces

There's no technical reason why one shouldn't trust an expired certificate. 'A certificate' is a public key plus some metainformation which both have been digitially signed utilizing some usually unrelated private key (if the private key corresponding to the public key in the certificate has been used, the certificate is said to be self-signed). The owner of the certificate will also have the secret private key corresponding with the public key and hence, someone who has access to the certificate can create messages only the certificate owner can decrypt. It's considered prudent to change encryption keys regular, that's why certificates "expire". But that's just encouraging a key change (which implies generating a new certificate) and doesn't enforce it: Unless the private key has been compromised, there's no need to stop using it.

to post comments

Expired Certificates

Posted Sep 23, 2018 14:51 UTC (Sun) by Sesse (subscriber, #53779) [Link] (2 responses)

Other reasons why certificates expire include that the domain may have been transferred to another entity. And if somebody manages to generate a bad certificate somehow, one wants to limit the amount of damage that can be done.

Expired certificates are also generally not part of OSCP, so it's hard to revoke them in practice.

Expired Certificates

Posted Sep 23, 2018 16:57 UTC (Sun) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

A certificate as two time attributes called "not before" and "not after" which form the bounds of "certificate lifetime". That's a property of the certificate and has absolutely no relation to "domain ownership". In case of a domain changing owner, not that this would be applicable to the camera case, old certificates would probably be revoked, that is, put on a special "this certificate isn't considered valid anymore" list published by a CA (simplification).

'Bad certificates' would also usually be dealt with by revocation. Standard lifetime of commercial certificates is a year and "Oh well, the guy who pretends to be your bank in order to rob your account will be forced to stop next year!" wouldn't exactly be fit-for-purpose as security policy here.

Expired Certificates

Posted Sep 24, 2018 12:30 UTC (Mon) by KaiRo (subscriber, #1987) [Link]

One of the problems is that most certificate checks in software do not check revoking information, and even the sources for revoking information (CRLs, OCSP, etc.) have various issues, including privacy leaks and more. That's one reason why expiry has more weight than it should have in theory, because it puts a time limit on the issues around revocation.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds