[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
Ryan Sleevi
sleevi at google.com
Mon Feb 6 07:50:25 MST 2017
On Mon, Feb 6, 2017 at 3:40 AM, Rob Stradling via Public <
public at cabforum.org> wrote:
> Is there anyone who believes that _expiration_ currently "works"?
>
> When a typical browser encounters an expired server certificate, it shows
> a warning that the user can click through. The user is only advised to
> avoid harm. I wonder how many users don't heed that advice?
>
> However, when a typical browser encounters a server certificate that it
> knows to be revoked, it shows a warning that the user *cannot* click
> through. The user is *forced* to avoid harm.
>
> What's stopping browsers from treating expired certs in the same way that
> they treat known revoked certs?
>
> (FWIW, I've made this point before:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/
> T11up58JkFc/uMNrXQsIzf0J)
Perhaps it's worth starting a separate thread for that discussion?
And perhaps it's worth reviewing
https://docs.google.com/presentation/d/1Qmpl-5epx0B5C2t4XsUTyjgbwab_rXfK_4iHqX3IC30/pub?start=false&loop=false&delayms=3000&slide=id.gf44795496_0_1
from last year's Real World Crypto as well?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170206/fe93c7b0/attachment-0001.html>
More information about the Public
mailing list