Ten years isn't long enough for maximum age settings

January 3, 2024

The recent news of the time interval is that a ten year certificate built into every Keybase client expired at the end of 2023. I had a little reaction to this:

So much quiet damage has been done to so many people's pinned cert or private CA deployments by ten-year defaults. So much.

(It happened to us so now our private OpenVPN CA root is much, much longer.)

If you're making an internal thing good for ten years, don't (whether it is a TLS certificate or, for example, setting a retention duration for some database). Ten years is either not long enough or too long. If you're writing an example and use a ten year validity period, please don't (people are sure to copy it). Ten years can sound like an implausibly long time when you're setting something up, but as we all know there's nothing quite as permanent as a quick hack and there you are ten years later with some problems. This happened to us with OpenVPN and we failed to find a solution, to our pain.

If you don't have a plan to either roll over and renew whatever it is or definitely take it out of service, ten years is far too short. If you want to keep something active until you change your mind, set your not-after date, retention duration, or whatever to as high as you can. Ten years is a terrible value for this; it looks and feels long enough but it isn't anywhere near sufficient.

(In some cases it may be a little bit of a problem that we're now only fourteen years away from the year 2038 issue. But if you have a problem there, it's better to find out about it early.)

If you want to definitely take your thing out of service after a certain period of time, ten years is far too long. If your thing is still in use as ten years approaches, it's almost guaranteed to have wormed its way into all sorts of places, so that taking it out of service will cause explosions and the possibility of this will get people to show up demanding that its lifetime be extended (assuming that people even remember where it's used and what depends on it).

If you have a plan to roll over, extend, or renew the duration, ten years is also far too long. As everyone has found out through painful experience with TLS certificates, doing something only once every few years is a recipe for problems (and for forgetting that it needs to be done at all). To make sure you keep in practice and the process still works, you need to do this much more frequently than once every ten years. At this point I'd probably try to do it twice a year.

As it happens I'm not without sin, because the retention time for our Prometheus database is currently '3650 days' from late November 2018. We may well run out of disk space before then and when we get there we may decide we don't need ten years (or more than ten years) after all, but I should probably bump that up anyway since our intention is 'keep as much as we have disk space for and maybe get more disk space if we're running short'. I should definitely have some sort of calendar entry for it, as a reminder just in case.

(We do now check all of our long-lived internal TLS certificates and alert if their expiry time is getting close. It's probably overkill but it doesn't hurt. And some of them are less than a decade away at this point.)

(This is related to a much older discovery that '999 days' is not forever, and for that matter neither is 9999 days, although that's 27 years and change so it's closer. 99999 days is long enough for almost everyone to not worry about it, though.)


Comments on this page:

By Ewen McNeill at 2024-01-04 01:41:25:

Last time I dealt with this, I ended up deciding to make the replacement expire in 2037 (for the 2038 problem). It’s not that much longer than 10 years, but it seems very likely a bunch of things will be refreshed in anticipation of 2038 rollover issues. So it seemed the expiry time that was least likely to be an unprepared surprise.

But other than that I agree with you: either you want “max 6 months” and automated rollover, or you want multiple decades (and only rollover for breach / crypto algorithm change). In between is just asking for recurring surprises. Even manual 1 year rollover seems very likely to be a periodic surprise, especially if The One Person that was looking after it is no longer around.

Ewen

This is an argument against a mandatory limit at all, and against TLS because it probably doesn't make that an option, does it?

By Elbert Boone at 2024-01-07 10:38:34:

Verisimilitude, while the notBefore and notAfter dates do seem to be required, RFC 5280 says:

Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime. To indicate that a certificate has no well-defined expiration date, the notAfter SHOULD be assigned the GeneralizedTime value of 99991231235959Z.

However, it doesn't mandate that anyone avoid using that as a real (calculated) expiry date, nor that it be handled specially on parsing—thus contributing to the "Y10K problem" and annoying Daniel J. Bernstein.

While most people worry about 2038, RFC 5280 worries about 2050. Why? 4.1.2.5.1 explains it:

The universal time type, UTCTime, is a standard ASN.1 type intended for representation of dates and time. UTCTime specifies the year through the two low-order digits ... (i.e., times are YYMMDDHHMMSSZ) ... Conforming systems MUST interpret the year field (YY) as follows: Where YY is greater than or equal to 50, the year SHALL be interpreted as 19YY; and Where YY is less than 50, the year SHALL be interpreted as 20YY.

Yuck. Anyway, it's not hard to find interfaces such as tls_peer_cert_notafter that use time_t and might therefore be affected by year-2038 problems. And I don't see any OpenSSL option to force the above "9999" expiry, which makes me doubt people are using or testing it. So I'm not optimistic about post-2038 dates, but it might be worth passing "-days 99999", seeing if that works, and using Ewen's suggestion if not.

By Barry at 2024-01-07 17:18:26:

Where I'm working, many applications were set up with undocumented certificates that expire within a small multiple of five years, long enough for anyone in the know to have moved on and causing unnecessary outages. It's infuriating.

Written on 03 January 2024.
« Why Unix's lseek() has that name instead of 'seek()'
'Unmaintained' (open source) code represents a huge amount of value »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Wed Jan 3 22:02:58 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.