Questions tagged [expiration-date]

20 questions
62
votes
6 answers

How to Securely Implement a "Remember Me" Feature?

Assuming you already have a website that implements all of the standard login stuff, what is the correct and most secure way to allow users to automatically be logged in for a certain time period (let's say 30 days)? This time period should be…
colithium
  • 833
  • 1
  • 8
  • 10
4
votes
2 answers

How do short lived certificates increase security?

After reading a blog post about the new Roughtime protocol, I am not convinced of the original premise that shorter certificate lifetimes increase security. The claim is that a shorter time somehow reduces the exposure if a secret key is…
John Deters
  • 33,650
  • 3
  • 57
  • 110
3
votes
1 answer

Why does Windows consider a certificate valid even after its expiration time?

I downloaded Google's Cloud SDK installer today, and upon checking the certificate to validate it, I noticed something strange: the expiration date of the certificate appears to be December 22nd 2019 - over four months from today, April 30th 2020.…
3
votes
3 answers

What happens when the timestamper's certificate expires?

What happens when the timestampers certificate expires? If the code is now untrusted, can it be re-stamped without re-signing? If not, what good does this timestamp do me if my cert is valid until the same date? TimeStamperCertificate :…
3
votes
2 answers

JWT access token and refresh token

We have two applications App1 and App2. A user uses a browser to communication withe apps. App1 supports different auth. mechanisms (SSO, usr/pwd, etc.) but App2 doesn't have any access to auth data and doesn't support any auth. mechanism. So we…
sgres
  • 129
  • 2
  • 8
2
votes
0 answers

What is the name of the OpenSSL date format?

The OpenSSL date format has the month first and the year after the time. Example: Mar 18 10:55:00 2017 GMT See also here: https://www.shellhacks.com/openssl-check-ssl-certificate-expiration-date/ Does anyone know the name of the standard behind this…
Ray Hulha
  • 121
  • 4
2
votes
2 answers

How can an expired SSL certificate make the server and/or client vulnerable to MITM attacks?

When I see the warning on my browser about "Invalid Certificate" or "Untrusted Certificate" , I might have doubt about a MITM attack at my network. Should I have the same concern when I see that the certificate expired warning? As I know, it happens…
Pilfility
  • 442
  • 4
  • 14
2
votes
1 answer

Authorization expiration without reliable clock / time

I've been looking, but I think its impossible to find a pairing solution that has the benefits of authorization expiration and renewal (like x509 cert expiry and OAuth expires_in), but that works without a reliable clock. I want it because renewal…
2
votes
2 answers

Stateless secure token that can expire?

I want to generate a link that will be given to a user. On this link, as a parameter, I will add a token that will be valid only for a few days. So after that time, the server will check the token, see that it's not valid anymore, and disallow the…
laurent
  • 751
  • 1
  • 8
  • 22
1
vote
1 answer

Can I change expiration date of a gpg key I've already sent to a key server?

ArchLinux wiki page on GnuPG reads Once a key has been submitted to a keyserver, it cannot be deleted from the server. Does that mean that also the expiration date with which I published the key via gpg --send-keys key-id cannot be changed?
Enlico
  • 153
  • 7
1
vote
1 answer

Request certificate expiration date in CSR

I want to see how my application will behave in case if the SSL certificate expires. CSR are signed by CA, so they are not self-signed and the validity period is 2 years. For my test I want to set the expiration period as 1 day. I don't have…
Alex
  • 412
  • 1
  • 8
  • 14
1
vote
2 answers

Do registration codes need expiry?

I work on an application where users are sent a unique registration code in the post. They use this, along with other personal information known to the user, to confirm the identity of the user upon creating a new account. Does the unique…
Daniel
  • 11
  • 1
1
vote
0 answers

How does PGP web of trust handle certificate expiration?

I have certificate that expires in two years. I'll probably try to participate in key signing party so I get to know what it actually looks like. What happens in two years? When my certificate expires, and I'll renew it by setting later expiration…
SoptikHa
  • 111
  • 2
1
vote
1 answer

Why is the need to expire OTP?

OTP can be implemented either using Google Authenticator or by sending SMS to the user. The GA code is created using a timestamp and the code expires if it's used after some time. However, in case of SMS, the OTP value is saved in the database on…
Shashwat Kumar
  • 161
  • 1
  • 6
1
vote
0 answers

Certificate revocation with reason code removeFromCRL

RFC 5280 says: "The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold." My question is: in which scenarion is…
1
2