[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
Rob Stradling
rob.stradling at comodo.com
Tue Feb 7 03:09:18 MST 2017
On 07/02/17 03:34, Eric Mill via Public wrote:
>> * No, not really. Expired certificates let you click-through while
> revoked certificates are a hard fail, the way it should be (per Rob)
>
> I don't think this (or Rob's original comment) are accurate as stated.
>
> *If* revocation messages are presented, Firefox disallows clickthrough.
Hi Eric. I thought I'd captured that "*If*" in my original comment. :-)
I talked about "known revoked certs" - that is, certs that the user
agent knows to be revoked (which is likely to only be a subset of the
certs that the CA has actually revoked).
My point was simply that "known revoked certs" and expired certs should
ideally be treated the same way. My proposal was "Browsers shouldn't
allow it to be bypassed" for both cases, but Ryan's rebuttal
(https://cabforum.org/pipermail/public/2017-February/009482.html) is
persuasive.
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list