
Solving the expiring. X.509 root CA certificate-mageddon, partly at least - fanf2
https://blog.apnic.net/2020/07/30/solving-the-expiring-root-ca-certificate-mageddon-partly-at-least/
======
JMTQp8lwXL
Root CAs are treated as if they have no expiration period. This does not bode
well for IoT devices, like mentioned in the article, internet-connected
televisions. It is up to the manufacturer to embed the capability to perform
the upgrades.

I'm not sure if I agree with the article's assertion to treat Root CA's as
'never' expiring. Sure, it's certainly the practical option, but if a Root CA
is compromised, it's useless.

~~~
grishka
So why _do_ they have an expiration period, then? What's the exact problem
that's being solved by them having one?

~~~
jandrese
In theory if they didn't have an expiration date then you would have to keep a
CRL entry around forever if one of the root CAs screwed up and had their key
leaked.

In practice even if that did happen it would likely be less hassle to keep
that revocation around than dealing with updating the certs every few years in
billions of embedded devices.

The alternative might be to set the expiration dates way in the future. Like a
thousand years in the future. At least that way it will be someone else's
problem when that date rolls around and everyone has forgotten how to update
their root certs.

~~~
josephcsible
Root CAs can't meaningfully be revoked. If one is compromised, it needs to be
removed from clients.

