From c8a228a8797c71d196a9912d50e56ad59b48b45e Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 28 Nov 2023 17:51:00 +0100 Subject: [PATCH] ch4: freshness --- book/source/04-certificates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index eaf6709..70e7b5b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -552,13 +552,13 @@ Their properties differ: [^hip1]: (cert-freshness)= -### Certificate freshness: Triggering updates with expiration +### Certificate freshness: Triggering updates with an expiration time -For a certificate holder, one problem is that communication partners may not regularly poll for updates of their certificate. +For a certificate holder, one problem is that their communication partners may not regularly poll for updates of their certificate. -A certificate holder usually prefers that everyone else regularly obtains updates for their certificate. This way, a third party will, for example, not mistakenly keep using the certificate indefinitely, in case it gets revoked. Instead, in the worst case, someone will use the certificate until the expiration date. +A certificate holder usually prefers that everyone else regularly obtains updates for their certificate. This way, a third party will, for example, not mistakenly keep using the certificate indefinitely, after it gets revoked. Setting an expiration time on the certificate, ahead of time, limits the worst case scenario: communication partners will at most use a revoked certificate until its expiration time, even if they never learn of the revocation. -Once the expiration date is reached, third parties, or ideally their OpenPGP software will have to obtain an update for the certificate. For example, from a keyserver, or via WKD. Ideally, certificate updates are obtained automatically, by the user's OpenPGP software, without any need for human intervention. +Once the expiration time is reached, third parties, or ideally their OpenPGP software will have to stop using the certificate, and may attempt to obtain an update for it. For example, from a keyserver, or via WKD. Ideally, certificate updates are obtained automatically, by the user's OpenPGP software, without any need for human intervention. After the update, the updated copy of the certificate will usually have a fresh expiration time. The same procedure will repeat once that new expiration time has been reached.