[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
eric at konklone.com
Wed Feb 8 01:06:04 UTC 2017
On Tue, Feb 7, 2017 at 5:09 AM, Rob Stradling <rob.stradling at comodo.com>
> On 07/02/17 03:34, Eric Mill via Public wrote:
>> * No, not really. Expired certificates let you click-through while
>> revoked certificates are a hard fail, the way it should be (per Rob)
>> I don't think this (or Rob's original comment) are accurate as stated.
>> *If* revocation messages are presented, Firefox disallows clickthrough.
> Hi Eric. I thought I'd captured that "*If*" in my original comment. :-)
Apologies, you are right. What I was disagreeing with was the comment
categorizing Firefox's behavior with revoked certificates as "hard fail",
and I misremembered your comments on CABF and m.d.s.p as having also used
> I talked about "known revoked certs" - that is, certs that the user agent
> knows to be revoked (which is likely to only be a subset of the certs that
> the CA has actually revoked).
> My point was simply that "known revoked certs" and expired certs should
> ideally be treated the same way. My proposal was "Browsers shouldn't allow
> it to be bypassed" for both cases, but Ryan's rebuttal (
> https://cabforum.org/pipermail/public/2017-February/009482.html) is
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public