TLS certificate expiry times are fundamentally a hack

January 7, 2024

Famously, TLS certificates expire, which even today can take websites offline because they didn't renew their TLS certificate in time. This doesn't just affect websites; people not infrequently create certificates that are supposed to be long lived, except sometimes they make them last (only) ten years, which isn't long enough. When people argue about this, let's be clear; TLS certificate expiry times, like most forms of key expiry, are fundamentally a hack that exists to deal with the imperfections of the world.

In a spherical and frictionless ideal world, TLS certificate keys would never be compromised, TLS certificates would never be issued to anyone other than the owner of something, TLS certificates could be effectively invalidated through revocation, and there would be no need to have TLS certificates ever expire. In this world, TLS certificates would be perpetual, and when you were done with a website or some other use of a TLS certificate, you would publish a revocation of it just to be sure.

We don't live in a spherical and frictionless world, so TLS certificates expire in order to limit the damage of key compromise and mis-issued certificates. That TLS certificates expire only imperfectly limits the damage of key compromise, not only because you have to wait for the certificate to expire (hence the move to shorter and shorter lifetimes) but also because there's generally nothing that stops you from re-using the same key for a whole series of TLS certificates. Since we don't have effective certificate revocation at scale, both mis-issued certificates and certificates where you know the key is compromised can only really be handled by letting them expire. If they didn't expire, they would be dangerous forever.

(If you're a big place, the browsers will give you a hand by shipping an update that invalidates the required certificates and keys, but this isn't available to ordinary mortals.)

This isn't particularly specific to TLS; other protocols with public keys often have the same issues and adopt the same solution of expiry times (PGP is one example). There are protocols that use keys without expiry times, such as DKIM. However, DKIM has extremely effective key revocation; to revoke a key, you remove the public part from your DNS, and then no one can validate anything signed by that key (well, unless they have their own saved copy of your old DNS). Other protocols punt and leave the whole problem up to you, for example SSH keypairs.

(Some protocols have other reasons for limiting the lifetime of keys, such as making encrypted messages 'expire' by default)

The corollary of this is that if you're dealing with TLS certificates (or keypairs in general) and these issues aren't a concern for you, there's not much reason to limit your TLS certificate lifetimes. Just don't make their lifetimes be ten years.

(My current personal view is that there are two reasonable choices with TLS certificate lifetimes. Either you have automated issuance and renewal, in which case you should have short lifetimes, or you have manual issuance and rollover, in which case they should be as long as you can get away with. TLS certificates that live for a year or three and have to be manually rolled over are the worst of both worlds; a key compromise or a mis-issuance is dangerous for a comparatively long time, and the rollover period is long enough that you'll have issues keeping track of it and doing it.)


Comments on this page:

When people argue about this, let's be clear; TLS certificate expiry times, like most forms of key expiry, are fundamentally a hack that exists to deal with the imperfections of the world.

Most such design decisions in TLS are mechanisms of control above all else.

TLS certificates would never be issued to anyone other than the owner of something

This flaw alone invalidates the entire model, which makes giving it not even one sentence of mention surprising.

This is the root certificate of Apple Computer, used at its lowest levels and burned into the computers.

I examined it with an X.509 tool, and found no expiration dates therein. I may be wrong, but this isn't surprising to me in the least. Of course Apple Computer and Google can be trusted with cryptographic secrets that don't expire; it's only the peons who don't need those. Apple Computer and Google certainly don't mind decreasing the already insufficiently-small lifetimes of what they allow others to use, however.

Written on 07 January 2024.
« Some ballpark numbers for fun on filling filesystem cache with NFS traffic
One of the things limiting the evolution of WebPKI is web servers »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 7 18:10:40 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.