This is the a good question. The control of the web and all things associate with it (now access to banking) depend on them certs. By expiring a root CA you get rid of a lot of stubborn old people.
Adrian > On 3 Oct 2021, at 00:56, Michael <[email protected]> wrote: > > ugh. Well, doing a search shows a LOT of articles about this very issue -- > this was apparently a known "this is going to affect a lot of people" deal, > and "just update your software, or ... sorry." was the only answer. > > But, I at least did find out why certs expire. > Seriously though: A cert identifies a domain. If you sell/buy a domain, you > want to be able to invalidate all existing certs for that domain. > > And as I see that, I'm immediately struck by two things: > 1. SSL, and a cert's job, is to validate the connection, not the person on > the other end. It's to prevent MitM attacks. (Putting the domain name in -- > when multiple names can go to the same server? Why?) > 2. The DNS is the obvious place to put "Here's our fingerprint" or something > to validate a cert -- that would prevent old owner certs from working. (So > why isn't this done?) > > And I cannot find any good reason for expiring root certs. They explicitly > have much longer lifespans than anything else, and this isn't the first time > that root certs have gone poof. > > Off the list topic now. Thanks for your help. > > On 2021-10-02, at 8:32 PM, Ryan Schmidt <[email protected]> wrote: > >> On Oct 2, 2021, at 22:06, Michael wrote: >>> >>> So, first, I want to say "Thank you" for this bit: >>> >>>> • From View menu select "Show Expired Certificates" >>> >>> In keychain access, I could not see the expired certs, and was thinking >>> that they were just deleted for being old. Once I could find the old ones, >>> I could turn them back on. >>> >>> The second thing is that for whatever reason, I could not download and >>> install the new cert into keychain access. But ... oddly, Firefox 52 ESR >>> had that cert installed (even that old ...???). I could export from >>> firefox, and import THAT into keychain access, and at least enable that for >>> my account. >>> >>> So, ... well, not perfect. These certs are marked as trusted for *my >>> account*. Not for the system. So predictably, some things done by the >>> system in the background will fail, but at least Chrome and Firefox both >>> now work fine. (Safari isn't tested, but ... well, Safari isn't tested :=-). >>> >>> ==== >>> >>> I have a much better question, that's outside of the scope of this list or >>> even the site(s) in question. >>> >>> Why does a signature expire? >>> >>> If I have something that was signed by a cert, and it was signed in a valid >>> time time stamp, why does that signature ever expire? >>> >>> I've come across programs that have an expired signature, and I can't see a >>> good reason for it. >>> >>> And if there's no good way to tell when something was actually signed >>> (because a timestamp can be forged), then the question becomes, why does a >>> cert expire as a function of time? Why not allow a cert to be "until >>> revoked"? >>> >>> For that matter, why is "valid/not valid" not under the control of the >>> system? Why is someone else allowed to say that my system is no longer >>> valid? >>> >>> I figure that there's a good answer to these questions somewhere, but I >>> have no clue where to even begin looking. And yes, I know that quantum >>> factoring will eventually permit all of these certs to be forged, but until >>> then, why not allow them, and even after that point, why not allow me to >>> allow them? >> >> I'm not an expert on this stuff, just sharing what I learned about the issue >> yesterday, but you can ask your search engine questions like "why do >> certificates expire" or more specifically in this case "why do root ca >> certificates expire". >> >> My understanding is that the reason why Let's Encrypt recommends sites >> continue to serve the ISRG Root X1 certificate that is signed by the expired >> DST Root CA X3 certificate is that at least old browsers like those on old >> Android phones should consider a web site's certificate to be valid, as long >> as we are within its validity dates, even if the root certificate it's >> signed by is expired. Like I said, I'm not an expert, I don't know why it >> would be that way, and evidently it's not that way on some Apple devices, so >> server administrators now have to choose between Let's Encrypt's default >> which supports old Android devices or the other way which supports old Apple >> devices. >> >> > > --- > Entertaining minecraft videos > http://YouTube.com/keybounce >
