On Tue, 2025-05-27 at 20:05 +0930, Tim via users wrote: > On Mon, 2025-05-26 at 15:19 -0400, Jeffrey Walton wrote: > > To reduce the size of Certificate Revocation List (CRL), and recover > > quickly from a compromised host. Conventional wisdom is, browsers > > don't download CRLs or OCSP, so a short validity closes the gap in > > browser behavior. > > That's the first answer I've found that seemed logical. I remember in > the past having to manually set browsers to check for revocation of > certificates, because they didn't. Which seemed a rather dumb lack of > cross-checking. > >
They didn't check because having all browsers constantly check would be a considerable burden on the certificate authorities. It's a basic design weakness in the cert model. > Though it also seems that constantly changing something adds another > vector for some kind of screw-up. > > Somewhat like the very dumb idea of making people constantly change > their passwords. Not the same thing at all. Asking people to make up new passwords according to arcane rules is an open invitation to having weak passwords. Renewing certs periodically is a compromise between "never" and "constantly". poc -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
