On Tue, May 27, 2025 at 6:50 AM Patrick O'Callaghan <[email protected]> wrote: > > On Tue, 2025-05-27 at 20:05 +0930, Tim via users wrote: > > On Mon, 2025-05-26 at 15:19 -0400, Jeffrey Walton wrote: > > > To reduce the size of Certificate Revocation List (CRL), and recover > > > quickly from a compromised host. Conventional wisdom is, browsers > > > don't download CRLs or OCSP, so a short validity closes the gap in > > > browser behavior. > > > > That's the first answer I've found that seemed logical. I remember in > > the past having to manually set browsers to check for revocation of > > certificates, because they didn't. Which seemed a rather dumb lack of > > cross-checking. > > They didn't check because having all browsers constantly check would be > a considerable burden on the certificate authorities. It's a basic > design weakness in the cert model.
OCSP Stapling fixed the problem. > > Though it also seems that constantly changing something adds another > > vector for some kind of screw-up. > > > > Somewhat like the very dumb idea of making people constantly change > > their passwords. > > Not the same thing at all. Asking people to make up new passwords > according to arcane rules is an open invitation to having weak > passwords. Renewing certs periodically is a compromise between "never" > and "constantly". Key continuity proved to be a better security property than gratuitous key rotations based on the tasseomancer reading tea leaves. Jeff -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
