On Tue, 23 Oct 2012, Gervase Markham wrote:
On 22/10/12 23:15, Paul Wouters wrote:
Maintaining TLS certificates actually becomes _easier_, because people
don't have to frantically read the openssl man page to generate a new
certificate when the old one suddenly expired without anyone noticing
before the complains hit the help desk.
They have to read other documentation about how to update their DNS
instead...
No they do not. Because there is no _expiry date_. By being in the TLSA
record in DNS, it is self-declared valid. No mysterious outages in 1 or
2 years from now when the certificat expired and the original guy who
know the openssl commandline left the company. This is another reason for
TLS bare key certificates that just contain the bare public key as SBKI.
To get rid of that obsolete container information (and new CA invoice).
Until those are common practise, define the certificate to be valid for
100 years, and you should be good till retirement.
Paul
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
