So, for hobby / home websites, certificates with a short lifespan is ok.
For anything else, a decent certificate provider should be used…
From: "Tim via users" <users@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tuesday, 27 May 2025 at 12:36:07 pm
To: "noloader@xxxxxxxxx" <noloader@xxxxxxxxx>, "Community support for Fedora users" <users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: "Tim" <ignored_mailbox@xxxxxxxxxxxx>
Subject: Re: How to setup certs for https access for Fedora 42?
On Mon, 2025-05-26 at 15:19 -0400, Jeffrey Walton wrote:
> To reduce the size of Certificate Revocation List (CRL), and recover
> quickly from a compromised host. Conventional wisdom is, browsers
> don't download CRLs or OCSP, so a short validity closes the gap in
> browser behavior.
That's the first answer I've found that seemed logical. I remember in
the past having to manually set browsers to check for revocation of
certificates, because they didn't. Which seemed a rather dumb lack of
cross-checking.
Though it also seems that constantly changing something adds another
vector for some kind of screw-up.
Somewhat like the very dumb idea of making people constantly change
their passwords.
--
uname -rsvp
Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
(yes, this is the output from uname for this PC when I posted)
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
> To reduce the size of Certificate Revocation List (CRL), and recover
> quickly from a compromised host. Conventional wisdom is, browsers
> don't download CRLs or OCSP, so a short validity closes the gap in
> browser behavior.
That's the first answer I've found that seemed logical. I remember in
the past having to manually set browsers to check for revocation of
certificates, because they didn't. Which seemed a rather dumb lack of
cross-checking.
Though it also seems that constantly changing something adds another
vector for some kind of screw-up.
Somewhat like the very dumb idea of making people constantly change
their passwords.
--
uname -rsvp
Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
(yes, this is the output from uname for this PC when I posted)
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
-- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
