[cabfpub] Pre-Ballot - Short-Life Certificates

Gervase Markham gerv at mozilla.org
Wed Oct 29 08:51:30 MST 2014


On 28/10/14 23:59, kirk_hall at trendmicro.com wrote:
> Put another way, if browsers would already have to change their code to
> say “it’s ok for a cert not to have revocation pointers if it’s a 48
> hour cert”

We don't - because no browser I know of today, in its default
configuration, will refuse to accept a cert for the reason that it
contains no revocation pointers.

If revocation pointers are present, then they may be checked (with
exactly how that's done varying from browser to browser). It's not the
case the the above paragraph means "no revocation checking is done"; it
means "no revocation checking is done if there is no way to do it".

Gerv


More information about the Public mailing list