Hacker News new | ask | show | jobs
by admax88q 2754 days ago
Expiry dates are in years, if a key is compromised, then an adversary has _years_ to exploit a MITM.

However we already mitigate this with revocation lists. But if we can revoke certificates why do we have expiration dates?

Seems to me expiration dates are rent seeking behaviour by certificate vendors.
3 comments
nemothekid 2754 days ago
This is a reason to shorten expiration times, not remove them (which companies like LetsEncrypt are doing)
link
admax88q 2753 days ago
Why. If revocation already works why bother with expiration?
link
jstanley 2754 days ago
One good reason is that if you buy a domain name that somebody else has used in the past, they don't have an infinite valid SSL certificate for your domain.
link
AltF4me 2754 days ago
Would it not be possible to expire the cert if the domain expires?
link
wiml 2754 days ago
No, that would be "revocation". Expiration is relatively easy to implement because the expiration date is known in advance and so you can simply put the expiration date in the certificate when it is issued. Revocation is relatively difficult because you need to continually check some database for revocation information — that's where CRLs, OCSP, and the like come in. And there's a lot of complexity under that hood, which, once the dust settles, boils down to just issuing very-short-lived certificates under a different guise.
link
toast0 2754 days ago
No. The certificate's expiration is fixed at time of issuance. You could set the expiration of the certificate to the expiration date of the domain, but the domain could be transferred, cancelled, or revoked before the expiration.
link
LinuxBender 2754 days ago
Just a few years ago, almost nothing checked the revocation lists. I revoked certs for some popular domains and was concerned about ssl caches and proxies... turns out, an owl heard it. An odd dog barked. No impact. Not even from the folks that embedded our certs onto their servers for legacy code reasons. Perhaps this has changed over the last couple of years.
link
admax88q 2753 days ago
Yep. But that's an implementation problem. Revocation is a critical security feature. Complaining that people didn't used to check it is like complaining that people didn't used to encrypt.

You're not secure if you don't check revocation.

link
LinuxBender 2753 days ago
I agree with this. For the record, I am not complaining. :-) I just like to share my experiences of how things worked verses how they were intended to work.
link