On Wed, May 17, 2023 at 2:47 AM Barry <barry@xxxxxxxxxxxxxxxx> wrote: > > > On 16 May 2023, at 22:51, Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Tue, 2023-05-16 at 14:43 -0400, Todd Zullinger wrote: > >> AFAICT, you have the older key installed, which has expired. > > > > Tangentially, I'm not sure of the value of expiring keys, other than > > for timebombing things. > > In the general case it puts a limit on how long a compromised key will be usable. > Let’s encrypt keys only live for 3 months (?) for example. > > But it all depends on security threat model. The reason for short lived certificates is to keep CRLs small, especially for mobile devices. In the past, mobile clients were asked to download 60 MB CRLs over a 2G or 3G connection. UI's literally hung while trying to perform the revocation checks. Google experimented with a 30 day expiration, if I recall correctly. Key continuity is much more valuable than gratuitous key rotation. Never throw away a perfectly good key (or password). In fact, unexpected key changes - from the relying party's view - should be considered a red flag. Key continuity and Public Key Pinning is what revealed the DigiNotar compromise. Here's the Iranian kid's message that started the whole thing off: http://productforums.google.com/forum/#!category-topic/gmail/share-and-discuss-with-others/3J3r2JqFNTw . Unfortunately, Google's asshole webmaster broke the link. Where can I get a job breaking shit like a webmaster? Jeff _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
