On Oct 2, 2021, at 22:06, Michael wrote: > > So, first, I want to say "Thank you" for this bit: > >> • From View menu select "Show Expired Certificates" > > In keychain access, I could not see the expired certs, and was thinking that > they were just deleted for being old. Once I could find the old ones, I could > turn them back on. > > The second thing is that for whatever reason, I could not download and > install the new cert into keychain access. But ... oddly, Firefox 52 ESR had > that cert installed (even that old ...???). I could export from firefox, and > import THAT into keychain access, and at least enable that for my account. > > So, ... well, not perfect. These certs are marked as trusted for *my > account*. Not for the system. So predictably, some things done by the system > in the background will fail, but at least Chrome and Firefox both now work > fine. (Safari isn't tested, but ... well, Safari isn't tested :=-). > > ==== > > I have a much better question, that's outside of the scope of this list or > even the site(s) in question. > > Why does a signature expire? > > If I have something that was signed by a cert, and it was signed in a valid > time time stamp, why does that signature ever expire? > > I've come across programs that have an expired signature, and I can't see a > good reason for it. > > And if there's no good way to tell when something was actually signed > (because a timestamp can be forged), then the question becomes, why does a > cert expire as a function of time? Why not allow a cert to be "until > revoked"? > > For that matter, why is "valid/not valid" not under the control of the > system? Why is someone else allowed to say that my system is no longer valid? > > I figure that there's a good answer to these questions somewhere, but I have > no clue where to even begin looking. And yes, I know that quantum factoring > will eventually permit all of these certs to be forged, but until then, why > not allow them, and even after that point, why not allow me to allow them?
I'm not an expert on this stuff, just sharing what I learned about the issue yesterday, but you can ask your search engine questions like "why do certificates expire" or more specifically in this case "why do root ca certificates expire". My understanding is that the reason why Let's Encrypt recommends sites continue to serve the ISRG Root X1 certificate that is signed by the expired DST Root CA X3 certificate is that at least old browsers like those on old Android phones should consider a web site's certificate to be valid, as long as we are within its validity dates, even if the root certificate it's signed by is expired. Like I said, I'm not an expert, I don't know why it would be that way, and evidently it's not that way on some Apple devices, so server administrators now have to choose between Let's Encrypt's default which supports old Android devices or the other way which supports old Apple devices.
