(lwn.net)

253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0.328s | source

Show context

londons_explore ◴[19 Jul 25 15:14 UTC] No.44616185[source]▶

Things that might not get updates shouldn't use the current date/time when checking certificates. Instead, they should see if the certificate would have been valid on the day the firmware was compiled (ie. behaviour will never change through the passage of time alone).

replies(2): >>44616291 #>>44616303 #

AnotherGoodName ◴[19 Jul 25 15:24 UTC] No.44616291[source]▶

>>44616185 #

Expired certificates should also at worst be a skippable warning. No one’s relying on certificates expiring for security. If you did you might have to wait many years for the expiration of a stolen certificate - lol!

It’s absolutely a minor “hey btw the certificate expired, check for an update” yet various systems treat certificate expiration as an end of the world lock it down scenario.

replies(2): >>44616578 #>>44620929 #

1. charcircuit ◴[20 Jul 25 00:53 UTC] No.44620929[source]▶

>>44616291 #

>years for the expiration of a stolen certificate

Code signing certificates are trending down in length. Ot recently dropped down from a max of 39 months to about 15 months.

↑

Linux and Secure Boot certificate expiration