[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Rob Stradling rob.stradling at comodo.com
Wed Feb 8 10:23:20 UTC 2017

On 08/02/17 01:06, Eric Mill wrote:
> On Tue, Feb 7, 2017 at 5:09 AM, Rob Stradling wrote:
>     On 07/02/17 03:34, Eric Mill via Public wrote:
>             * No, not really.  Expired certificates let you
>             click-through while
>         revoked certificates are a hard fail, the way it should be (per Rob)
>         I don't think this (or Rob's original comment) are accurate as
>         stated.
>         *If* revocation messages are presented, Firefox disallows
>         clickthrough.
>     Hi Eric.  I thought I'd captured that "*If*" in my original
>     comment.  :-)
> Apologies, you are right. What I was disagreeing with was the comment
> categorizing Firefox's behavior with revoked certificates as "hard
> fail", and I misremembered your comments on CABF and m.d.s.p as having
> also used the term.

Hi Eric.  I probably have used the term "hard fail" inconsistently on 
various occasions.  ;-)

I think (when I'm managing to be consistent :-) ) that revocation 
checking "hard fails" when the user agent warns the user that it was 
unable to obtain certificate status information.

Whether or not the user agent permits the user to click through a hard 
fail warning, or a warning that the cert has expired, or a warning that 
the cert is known to be revoked, are all separate issues.

> -- Eric
>     I talked about "known revoked certs" - that is, certs that the user
>     agent knows to be revoked (which is likely to only be a subset of
>     the certs that the CA has actually revoked).
>     My point was simply that "known revoked certs" and expired certs
>     should ideally be treated the same way.  My proposal was "Browsers
>     shouldn't allow it to be bypassed" for both cases, but Ryan's
>     rebuttal
>     (https://cabforum.org/pipermail/public/2017-February/009482.html
>     <https://cabforum.org/pipermail/public/2017-February/009482.html>)
>     is persuasive.
>     <snip>

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list