DNSCrypt – how expired certificates became a thing of the past

So this solves a problem with intermediate certificates expiring, but the scope is pretty narrow.<p>There are two types of key here, a &quot;provider public key&quot; and a &quot;resolver public key&quot;. The provider key signs the resolver key which signs the requests. This is a system to keep the resolver key from having problems. If you&#x27;re a website, this is basically irrelevant, because you do the equivalent of having the provider key sign requests. You have no intermediate to worry about at all.<p>But what if you&#x27;re Mozilla, and you <i>do</i> have a problem with intermediates expiring?<p>Well if you put this directly into place everything would get much worse. Extensions would expire after a few hours.<p>You would have to change your validation logic, to accept signatures that were made <i>while</i> the intermediate was valid, even though the intermediate has expired. (You could set a 12 month limit to make this no less secure than the old system.)<p>But... if you did this validation change, that would have prevented the extension problem in the first place, all by itself!<p>This system of short-lived intermediates is <i>nice</i>, but it&#x27;s way more important in its original home. For extension signing it would almost only be a convenience.

I&#x27;ve used DNSCrypt for some time and think it&#x27;s great software, however I disagree with the author&#x27;s position it makes certificate expiration a thing of the past. Setting a short expiry and automation for renewal is <i>optional</i> - and I strongly believe optional security is irrelevant. If certificates have a good reason to expire after 24 hours, or sooner, the software should guarantee it AND provide the automation tooling required to update it. Relying on the user to be informed and act accordingly is not a valid strategy.

The real rule, it seems to me, is that certificates need to expire <i>while the original person deploying the system is still working on it</i>. So that&#x27;s a measure in terms of the speed of businesses, not any fundamental constant. A year is far too long: people transfer, reorgs happen, etc. Let&#x27;s Encrypt&#x27;s three months is a bit too long, I think; it&#x27;s exactly one quarter, and things tend to change at the quarterly level. You <i>could</i> deploy something and be gone from the project by the time it expires. But anywhere from hours to weeks should be fine.