On Mon, Apr 07, 2025 at 06:38:56AM -0700, Mark Milhollan via mailop wrote:
> On Mon, 7 Apr 2025, Klaus Ethgen wrote:
>
> > With this Lets-Encrypt-stuff comes that the certificate needs to be
> > replaced every 3 Months. I do not have all the time to replace them that
> > often.
>
> FYI, it seems likely that all certificate issuers will change to short
> intervals as well, gradually down to 47 days by 2028, suggesting that by
> that time automation will be all but required. Mainly it is for browsers
> but that would force some senders to go along if their receivers began
> rejecting expired certificates or those that exceed the limit (e.g.,
> self-signed for 10 years), which seems almost certain due to the underlying
> tooling being primarily browser focused.
Self-signed (not explicitly trusted by local policy) certificates already
fail validation because the issuer is not trusted, the expiration data
is not relevant.
When certificate validation is not required, and the sender is using
unauthenticated opportunistic TLS for just protection against *passive*
eavesdropping, policies relating to maximum lifetimes of validatable
certificates are out of scope.
With unauthenticated opportunistic TLS, or with matching DANE TLSA RRs,
OpenSSL will accept a certificate with a 30 minute lifetime, a 300 year
lifetime, or if the TLSA records are "3 1 1", the certificate can even
be expired. CA/B forum policy is not applicable.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
