[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
Eric Mill
eric at konklone.com
Tue Feb 7 18:06:04 MST 2017
On Tue, Feb 7, 2017 at 5:09 AM, Rob Stradling <rob.stradling at comodo.com>
wrote:
> On 07/02/17 03:34, Eric Mill via Public wrote:
>
>> * No, not really. Expired certificates let you click-through while
>>>
>> revoked certificates are a hard fail, the way it should be (per Rob)
>>
>> I don't think this (or Rob's original comment) are accurate as stated.
>>
>> *If* revocation messages are presented, Firefox disallows clickthrough.
>>
>
> Hi Eric. I thought I'd captured that "*If*" in my original comment. :-)
>
Apologies, you are right. What I was disagreeing with was the comment
categorizing Firefox's behavior with revoked certificates as "hard fail",
and I misremembered your comments on CABF and m.d.s.p as having also used
the term.
-- Eric
>
> I talked about "known revoked certs" - that is, certs that the user agent
> knows to be revoked (which is likely to only be a subset of the certs that
> the CA has actually revoked).
>
> My point was simply that "known revoked certs" and expired certs should
> ideally be treated the same way. My proposal was "Browsers shouldn't allow
> it to be bypassed" for both cases, but Ryan's rebuttal (
> https://cabforum.org/pipermail/public/2017-February/009482.html) is
> persuasive.
>
> <snip>
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
>
--
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170207/8aac7d40/attachment-0001.html>
More information about the Public
mailing list