|
|
|
|
|
|
by fgonzag
3470 days ago
|
|
|
> There is no reason to trust a certificate that's older than a year, for instance, there's been more than enough time for someone to reverse engineer the keys if they wanted. > Cryptography does not work that way. But it kind of does. Imagine if we were still using certificates signed with DES and MD5 hashes because they were available perpetually. Certificate expiration at the very least means that whenever you renew you're keeping up to date with whatever vulnerabilities have been exploited in the past 3-5 years. It also keeps CRLs short and concise as those certificates that have expired do not need to be included. |
|
|
We don't rely on expiration or revocation for that; we rely on clients and servers refusing to use insecure algorithms.