[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Mon Feb 6 14:50:25 UTC 2017

On Mon, Feb 6, 2017 at 3:40 AM, Rob Stradling via Public <
public at cabforum.org> wrote:

> Is there anyone who believes that _expiration_ currently "works"?
> When a typical browser encounters an expired server certificate, it shows
> a warning that the user can click through.  The user is only advised to
> avoid harm.  I wonder how many users don't heed that advice?
> However, when a typical browser encounters a server certificate that it
> knows to be revoked, it shows a warning that the user *cannot* click
> through.  The user is *forced* to avoid harm.
> What's stopping browsers from treating expired certs in the same way that
> they treat known revoked certs?
> (FWIW, I've made this point before:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/
> T11up58JkFc/uMNrXQsIzf0J)

Perhaps it's worth starting a separate thread for that discussion?

And perhaps it's worth reviewing
from last year's Real World Crypto as well?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170206/fe93c7b0/attachment-0003.html>

More information about the Public mailing list