[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Eric Mill eric at konklone.com
Wed Feb 8 01:06:04 UTC 2017

On Tue, Feb 7, 2017 at 5:09 AM, Rob Stradling <rob.stradling at comodo.com>

> On 07/02/17 03:34, Eric Mill via Public wrote:
>> * No, not really.  Expired certificates let you click-through while
>> revoked certificates are a hard fail, the way it should be (per Rob)
>> I don't think this (or Rob's original comment) are accurate as stated.
>> *If* revocation messages are presented, Firefox disallows clickthrough.
> Hi Eric.  I thought I'd captured that "*If*" in my original comment.  :-)

Apologies, you are right. What I was disagreeing with was the comment
categorizing Firefox's behavior with revoked certificates as "hard fail",
and I misremembered your comments on CABF and m.d.s.p as having also used
the term.

-- Eric

> I talked about "known revoked certs" - that is, certs that the user agent
> knows to be revoked (which is likely to only be a subset of the certs that
> the CA has actually revoked).
> My point was simply that "known revoked certs" and expired certs should
> ideally be treated the same way.  My proposal was "Browsers shouldn't allow
> it to be bypassed" for both cases, but Ryan's rebuttal (
> https://cabforum.org/pipermail/public/2017-February/009482.html) is
> persuasive.
> <snip>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online

konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170207/8aac7d40/attachment-0003.html>

More information about the Public mailing list