Security Basics mailing list archives

RE: Expired certificates

From: "Gaydosh, Adam" <GaydoshA () ctc com>
Date: Thu, 4 May 2006 13:32:40 -0400

Clients should not be prompted to accept the expired certificate, e.g.
if there is a new certificate being used...this was not clear in the OP
other then "We do not use it anymore...", although I agree it'd be poor
conditioning for the users if they were in fact prompted.  
The information in a certificate is public by nature, including the
public key, so the security risk is the private key...since it can be
used to decrypt (archived, if no longer in use) SSL sessions, you should
not leave it dormant on the web server, but archived off-line (as
dictated by your security policies ;).  Not to mention why any sensible
sys admin would lobby to keep expired certificates cluttering the
certificate store...

-----Original Message-----
From: nospam [mailto:nospam () dranem org] 
Sent: Saturday, April 29, 2006 4:22 PM
Cc: Security-Basics
Subject: Re: Expired certificates


Kenton Smith wrote:

This seems like a bit of a pointless argument. If they have no other 
reason for removing it other than convenience, I don't see why you 
don't just remove it.
That aside, I suppose the only security risk I can see is

that there is

information on that certificate someone could use against you. It is 
possible that they could take that information and spoof the site and 
certificate.
That's about the only security risk to leaving it there that I can 
think of.

Kenton

--- 1tgeye () surewest net wrote:

We have an IIS server with an old certificate that has

expired.  We do

not use it anymore and I am arguing to remove it from the

site.  Other

people are saying it doesn't hurt anything and just leave it there.

Can anyone give me a reason why an unused but expired certificate 
could cause a security risk?  I would like to add that to my

argument

why it should be removed.

It'll get the users thinking 'it's ok to accept expired certificates'
this is never a good thing;

they are influenced [improperly] in too many other ways

Current thread:

Re: Expired certificates nospam (May 01)
- <Possible follow-ups>
- Re: Expired certificates Derek Schaible (May 01)
- RE: Expired certificates Gaydosh, Adam (May 04)