Hacker News new | ask | show | jobs
by JoshTriplett 3472 days ago
> There is no reason to trust a certificate that's older than a year, for instance, there's been more than enough time for someone to reverse engineer the keys if they wanted.

Cryptography does not work that way.

> It's pretty trivial to set up cert renewal, so why didn't they?

That holds true today, with Let's Encrypt; their short expiration date seems to exist largely to force people to automate it, and in that regard it seems quite effective. But prior to that, many CAs did not have scriptable automated processes to renew certificates.
1 comments
fgonzag 3472 days ago
> There is no reason to trust a certificate that's older than a year, for instance, there's been more than enough time for someone to reverse engineer the keys if they wanted.

> Cryptography does not work that way.

But it kind of does. Imagine if we were still using certificates signed with DES and MD5 hashes because they were available perpetually. Certificate expiration at the very least means that whenever you renew you're keeping up to date with whatever vulnerabilities have been exploited in the past 3-5 years.

It also keeps CRLs short and concise as those certificates that have expired do not need to be included.

link
JoshTriplett 3472 days ago
> Imagine if we were still using certificates signed with DES and MD5 hashes because they were available perpetually.

We don't rely on expiration or revocation for that; we rely on clients and servers refusing to use insecure algorithms.

link