The practical limit on certificate lifespan is 48 hours renewed every 24 unless you have a means of reliably getting trusted time into the client.
I have been trying to find info on SSH user certs on and off for quite a while. Seems like an under-documented feature... They solve a big problem for me :-)
On Tue, Mar 2, 2021 at 10:36 PM Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Tue, Mar 02, 2021 at 07:00:35PM -0800, Michael Thomas wrote:
> NRE vs constant help desk. [...]
I can't parse "NRE".
> Where are all of these use cases that need offline verification? I asked
> somebody else and didn't get an answer.
Admins *really* like to be able to get into their servers when bad
things happen on their networks and necessary infrastructure is down.
SSH generally gives you that.
> All of this tells me that there is a witching hour with certs that hasn't
> been broken in almost 40 years.
Short-lived certs == no one ever forgets to automate the fetching of new
ones.
When you have two-year certs you need CRLs and OCSP and you always
forget to renew.
When you have five-day certs you cannot forget to renew more than twice
because you won't like the constant outages, so you'll automate.
Heck, you could dial that down to eight-hour certs. After all, with JWT
we use JWKs that last only a few hours, so you *really* have to fetch
them on a schedule.
Nico
--
