EduardCyber.mil serving file downloads using TLS certificate which expired 3 days ago
So what? They keep shortening the validity length of these certificates, making them more and more of a pain to deal with.
Which is yet another chore. And it doesn’t add any security. A certificate expired yesterday proves I am who I am just as much as it did yesterday. As long as the validity length is shorter than how long it would take somebody to work out the private key from the public key, it is fine.
Shortening certificate periods is just their way of admitting that certification revocation lists are absolutely worthless.
Right. It's the same debate about how long authorization cookies or tokens should last. At one point in time--only one--authentication was performed in a provable enough manner that the certificate was issued. After that--it could be seconds, hours, days, years, or never--that assumption could become invalid.