@BRIAN_____ @dshaw most people's cert renewals use the same private key in my experience so even renewals need to be re-keyed.
-
-
-
@tdp_org@BRIAN_____@dshaw uff thats horrible -
@kangsterizer@BRIAN_____@dshaw many CAs let you re-key a cert at any time though. -
@tdp_org@kangsterizer@BRIAN_____@dshaw Many let you, but perhaps it should be required at least every 3 (or one) year(s)
End of conversation
New conversation -
-
-
@brian_____ E.g. if Mallory does MITM with the old cert? (Which she has the key to.)Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@BRIAN_____ At least they (5 year certs) die next April. Too bad we couldn't make the maximum validity even shorter than 3 years.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@BRIAN_____ Is anyone even doing anything to improve the revocation story? -
@gsnedders@BRIAN_____ Yes! Requiring OCSP stapling is progressing (albeit slowly) and short-lived certs are on the horizon -
@GreatAmus@BRIAN_____ I thought browsers did the same soft-fail for OCSP stapled certs? But I could be massively out of date. :) -
@gsnedders@BRIAN_____ They do, which is why mustStaple should be required with stapled responses -
@GreatAmus@BRIAN_____ Then I stand my by view that neither of those really solve the problem, they just hack around it. :( -
@gsnedders@BRIAN_____ "Solve" v "hack" is a matter of perspective. Either one solves the problem for a server operator using them. -
@GreatAmus@BRIAN_____ Well, short expiry times only "solve" the problem insofar as they reduce period for which the broken cert is usable.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.