undefined | Better HN

sugarpimpdorsey9mo ago· 2 in thread

Wrong. Enforcement is done by the browser. Yes, a CA's certificate policy may govern how long a certificate they will issue. But should an error occur, and a long-lived cert issued (even maliciously), the browser will reject it.

The browser-CA cartels stay relatively in sync.

You can verify this for yourself by creating and trusting a local CA and try issuing a 5 year certificate. It won't work. You'll have a valid cert, but it won't be trusted by the browser unless the lifetime is below their arbitrary limit. Yet that certificate would continue to be valid for non-browser purposes.

ameliaquining9mo ago

I just did this with a 20-year certificate and it worked fine in Chrome and Firefox. That said, my understanding is that the browsers exempt custom roots from these kinds of policies, which are only meant to constrain the behavior of publicly trusted CAs.

sugarpimpdorsey9mo ago

Safari enforces a hard limit of just over two years.

avianlyric9mo ago· 1 in thread

> So a bad actor can still issue a multi-year certificate for itself, and in the absence of side-channel verification the browser is none the wiser.

How would a bad actor do that without a certificate authority being involved?

syncsynchalt9mo ago

The bad actor would also need to install a root for their custom CA on the end-user device.

arccy9mo ago

the browsers will verify, and every cert will be checked against transparency logs. you won't be able to hide a long lived cert for very long.

0 comments

0 comments