[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Rob Stradling rob.stradling at comodo.com
Tue Feb 7 10:09:18 UTC 2017

On 07/02/17 03:34, Eric Mill via Public wrote:
>> * No, not really.  Expired certificates let you click-through while
> revoked certificates are a hard fail, the way it should be (per Rob)
> I don't think this (or Rob's original comment) are accurate as stated.
> *If* revocation messages are presented, Firefox disallows clickthrough.

Hi Eric.  I thought I'd captured that "*If*" in my original comment.  :-)

I talked about "known revoked certs" - that is, certs that the user 
agent knows to be revoked (which is likely to only be a subset of the 
certs that the CA has actually revoked).

My point was simply that "known revoked certs" and expired certs should 
ideally be treated the same way.  My proposal was "Browsers shouldn't 
allow it to be bypassed" for both cases, but Ryan's rebuttal 
(https://cabforum.org/pipermail/public/2017-February/009482.html) is 


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list