[cabfpub] Web Security Context: User Interface Guidelines

[Rob Stradling]

On 18/09/12 18:46, Rick Andrews wrote:
<snip>
> Back in June there was a thread about revocation checking in Firefox in which you and Bob Relyea indicated that FF uses two different libraries, and one of those libraries did not check intermediates.
>
> I'm reattaching the relevant part of the thread:
<snip>

Bob Relyea wrote:
 > I believe, however, the an EV failure will only drop the EV chrome, 
not fail the entire connection (this is where Kai would be able to 
provide better information), so even in the EV case, we only fail the EV 
portion, not the entire connection.

So if a CA were to issue a short-lived EV certificate containing zero 
revocation URLs, they would be shooting themselves in the foot because 
this certificate would _never_ trigger the EV chrome in Firefox.

If our goal is for short-lived certs to solve the revocation problem, 
then I think we need short-lived certs to work well for EV too!

I still think that the best approach would be for browsers to change 
their code so that online revocation checks are not performed on 
certificates (short-lived or long-lived) that are sufficiently "fresh" 
(where the freshness would be determined by checking that the notBefore 
date is < N days ago, or by adding a new "issuance date" field in a 
certificate extension, or (thinking ahead) by checking the timestamp in 
an embedded CT proof).

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online