Re: What ASN.1 got right

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The practical limit on certificate lifespan is 48 hours renewed every 24 unless you have a means of reliably getting trusted time into the client.

I have been trying to find info on SSH user certs on and off for quite a while. Seems like an under-documented feature... They solve a big problem for me :-)

On Tue, Mar 2, 2021 at 10:36 PM Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Tue, Mar 02, 2021 at 07:00:35PM -0800, Michael Thomas wrote:
> NRE vs constant help desk. [...]

I can't parse "NRE".

> Where are all of these use cases that need offline verification? I asked
> somebody else and didn't get an answer.

Admins *really* like to be able to get into their servers when bad
things happen on their networks and necessary infrastructure is down.
SSH generally gives you that.

> All of this tells me that there is a witching hour with certs that hasn't
> been broken in almost 40 years.

Short-lived certs == no one ever forgets to automate the fetching of new
ones.

When you have two-year certs you need CRLs and OCSP and you always
forget to renew.

When you have five-day certs you cannot forget to renew more than twice
because you won't like the constant outages, so you'll automate.

Heck, you could dial that down to eight-hour certs.  After all, with JWT
we use JWKs that last only a few hours, so you *really* have to fetch
them on a schedule.

Nico
--

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux