[cabfpub] [PROMO]Re: Short-Lived Certificate Ballot

Brian Smith brian at briansmith.org
Mon Nov 2 19:40:14 UTC 2015


On Sun, Nov 1, 2015 at 10:18 AM, Rob Stradling <rob.stradling at comodo.com>
wrote:

> On 31/10/15 19:44, Brian Smith wrote:
> <snip>
>
>> In fact, because the maximum validity
>> period of a short-lived certificate is shorter than the maximum lifetime
>> of an OCSP response, short-lived certificates are actually a *safer*
>> form of revocation than a stapled OCSP response.
>>
>
> Do browsers treat expiration as harshly as revocation yet (i.e. completely
> block access to the site, rather than warn the user but permit them to
> access the site anyway)?
>
> If not, then I half agree (because staleness matters) and half disagree
> (because protecting users matters) that they're "a *safer* form of
> revocation".


I agree it would be better for web browsers to treat expired certificates,
at least expired *short-lived* certificates, exactly as equivalent to
certificates for which they've received a valid REVOKED OCSP response.

In particular, if a browser doesn't allow the "Revoked" response block to
be overridden by the user, then they shouldn't allow the "Expired" block to
be overridden by the user, at least for short-lived certificates.

Do browser makers disagree with that?

Note, however, the Baseline Requirements are not for prescribing browser
behavior, so it would be inappropriate to change the ballot to add a
requirement for browsers to treat short-lived certificates a certain way.

Cheers,
Brian
-- 
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151102/b129411c/attachment-0003.html>


More information about the Public mailing list