Certificates should have a maximum lifetime, and SPAKE2 identities should be SPKI not cert fingerprint

[estark37]

To encourage certificate agility, consider adding a relatively short maximum lifetime as in WebTransport (https://w3c.github.io/webtransport/#custom-certificate-requirements). This change would imply that the SPAKE2 identity should be formed from the subject public key (https://tools.ietf.org/html/rfc7469#section-2.4) instead of from the certificate fingerprint, to avoid forcing a fresh SPAKE2 authentication whenever the server renews its certificate.

On a handwavier note, I wonder if there is a way to allow SPKI rotation without forcing a new SPAKE2 flow -- maybe by allowing the old key to sign the new key?

[markafoltz]

Changing the SPAKE2 input is a good idea, thank you @estark37. I believe we can replace the certificate fingerprint with the SPKI in SPAKE2 without too many changes to the existing protocol, which would give us the flexibility to extend certificates without forcing re-auth. I will put together a PR for that.

SPKI rotation is something I would have to think more about. If there's no connection for more than 2 lifetimes that would require a re-auth. That might be okay. It would also require procedures in the spec to require certificate regeneration and specifying valid signatures and chains. In this area, I would like to defer additional work until we have the other certificate issues sorted out, additional reviews and more implementation experience.