[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Rob Stradling rob.stradling at comodo.com
Mon Feb 6 11:40:12 UTC 2017

Is there anyone who believes that _expiration_ currently "works"?

When a typical browser encounters an expired server certificate, it 
shows a warning that the user can click through.  The user is only 
advised to avoid harm.  I wonder how many users don't heed that advice?

However, when a typical browser encounters a server certificate that it 
knows to be revoked, it shows a warning that the user *cannot* click 
through.  The user is *forced* to avoid harm.

What's stopping browsers from treating expired certs in the same way 
that they treat known revoked certs?

(FWIW, I've made this point before:

On 03/02/17 19:40, Richard Barnes via Public wrote:
> Is there anyone on the relying party side of the universe that believes
> revocation works?  Even among browsers that send OCSP requests, none of
> them hard-fail if it doesn't work, because in practice, OCSP servers are
> so awful that HTTPS would become unusable.  So OCSP is still, as AGL
> says, a seat belt that breaks when you crash.  Seems fair to call that
> broken.
> Even if OCSP were magically to become usable, though, (or some
> replacement for it) this ballot would still be necessary for all the
> other reasons that have been discussed here.
> On Fri, Feb 3, 2017 at 11:34 AM, Rich Smith via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>     Ryan, since you're using your age old FUD "revocation doesn't work"
>     (because certain browsers have chosen not to consult revocation
>     information) as part of the reasoning as to why this ballot is
>     necessary, I think it's quite germane to the discussion.
>     On 2/3/2017 11:38 AM, Ryan Sleevi via Public wrote:
>>     On Fri, Feb 3, 2017 at 9:11 AM, Rob Stradling
>>     <rob.stradling at comodo.com <mailto:rob.stradling at comodo.com>> wrote:
>>         Ryan, what targets
>>         (filesize/performance/reliability/reachability/etc) would CAs
>>         need to meet before it would become viable to reintroduce CRLs
>>         to the WebPKI (i.e., for Chrome to start checking CRLs and
>>         hard-failing if they're unobtainable)?
>>     Happy to have that discussion at another time, but it's not
>>     germane to the discussion at hand, as I clearly indicated in the
>>     original message. It's necessary, but not sufficient, to have
>>     that, and we're not presently proposing addressing all the other
>>     necessary conditions. Baby steps.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list