[cabfpub] [PROMO]Re: Short-Lived Certificate Ballot
brian at briansmith.org
Mon Nov 2 12:40:14 MST 2015
On Sun, Nov 1, 2015 at 10:18 AM, Rob Stradling <rob.stradling at comodo.com>
> On 31/10/15 19:44, Brian Smith wrote:
>> In fact, because the maximum validity
>> period of a short-lived certificate is shorter than the maximum lifetime
>> of an OCSP response, short-lived certificates are actually a *safer*
>> form of revocation than a stapled OCSP response.
> Do browsers treat expiration as harshly as revocation yet (i.e. completely
> block access to the site, rather than warn the user but permit them to
> access the site anyway)?
> If not, then I half agree (because staleness matters) and half disagree
> (because protecting users matters) that they're "a *safer* form of
I agree it would be better for web browsers to treat expired certificates,
at least expired *short-lived* certificates, exactly as equivalent to
certificates for which they've received a valid REVOKED OCSP response.
In particular, if a browser doesn't allow the "Revoked" response block to
be overridden by the user, then they shouldn't allow the "Expired" block to
be overridden by the user, at least for short-lived certificates.
Do browser makers disagree with that?
Note, however, the Baseline Requirements are not for prescribing browser
behavior, so it would be inappropriate to change the ballot to add a
requirement for browsers to treat short-lived certificates a certain way.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public