[cabfpub] Pre-Ballot - Short-Life Certificates

Gervase Markham gerv at mozilla.org
Thu Oct 30 13:24:45 UTC 2014

On 29/10/14 18:10, Doug Beattie wrote:
> I just find it hard to swallow that all browsers accept SSL
> certificates without an AIA/CDP as valid. 

Browsers have to deal with many weird and wonderful certs. The BRs apply
to publicly-trusted SSL, but people also use browsers on intranets and
private networks.

> Are we SURE that removing AIA won't adversely impact site operators'
> customers, whoever they are?

I don't have any evidence that it will, but again, this is irrelevant to
an assessment of the security properties of making this change.
Presumably the worst that could happen is that some clients refuse to
accept the cert, which is not a security problem in itself.

If we decide to enable this change, CAs can experiment and see whether
there are, in practice, reasons that some or even all certificate-using
communities can't use this. But "is it practical or not?" is irrelevant
to the question before us.


More information about the Public mailing list