ch4: add text for "Certificate freshness"

book/source/04-certificates.md

@@ -496,16 +496,16 @@ The historical 4-byte "short Key IDs" format should not be used anywhere, anymor
 write, link to chapter 9
 ```
 
-### Best practices regarding Key Freshness
+(cert-freshness)=
+### Certificate freshness: Triggering updates with expiration
 
-```{admonition} TODO
-:class: warning
+For a certificate holder, one problem is that communication partners may not regularly poll for updates of their certificate.
 
-- Expiry
-- Subkey rotation
+A certificate holder usually prefers that everyone else regularly obtains updates for their certificate. This way, a third party will, for example, not mistakenly keep using the certificate indefinitely, in case it gets revoked. Instead, in the worst case, someone will use the certificate until the expiration date.
 
-Wiktor suggests to check: https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/ for important material
-```
+Once the expiration date is reached, third parties, or ideally their OpenPGP software will have to obtain an update for the certificate. For example, from a keyserver, or via WKD. Ideally, certificate updates are obtained automatically, by the user's OpenPGP software, without any need for human intervention.
+
+After the update, the updated copy of the certificate will usually have a fresh expiration time. The same procedure will repeat once that new expiration time has been reached.
 
 ### Metadata leak of Social Graph