I used to be knee deep in PKI stuff, now I hardly pay attention.
Two quick questions:
1 - Are there any TLS libraries that enable warnings when certs are nearing expiration?
2 - Are there any extensions in the works (or previous failed attempts) for TLS to have the client validate the next planned certificate and signal both ends when that fails?
I did a bunch of work with Verisign as a contractor back in the early 2000s and got to see some of the systems and infrastructure issuing a good portion of the world's certificates at that time. 15 years later I was at Google when they let an intermediate certificate in their SMTP certs expire and had a major GMail outage. At work last week we had a major outage related to certificate issues. Of course there are thousands upon thousands of stories like that in between.
The chains of trust you can build with PKI have been incredibly useful and instrumental to securing code, data and traffic, but the fact that it's still subject to such brittle failure modes is bemusing.
Two quick questions:
1 - Are there any TLS libraries that enable warnings when certs are nearing expiration?
2 - Are there any extensions in the works (or previous failed attempts) for TLS to have the client validate the next planned certificate and signal both ends when that fails?