[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
sleevi at google.com
Mon Feb 6 14:50:25 UTC 2017
On Mon, Feb 6, 2017 at 3:40 AM, Rob Stradling via Public <
public at cabforum.org> wrote:
> Is there anyone who believes that _expiration_ currently "works"?
> When a typical browser encounters an expired server certificate, it shows
> a warning that the user can click through. The user is only advised to
> avoid harm. I wonder how many users don't heed that advice?
> However, when a typical browser encounters a server certificate that it
> knows to be revoked, it shows a warning that the user *cannot* click
> through. The user is *forced* to avoid harm.
> What's stopping browsers from treating expired certs in the same way that
> they treat known revoked certs?
> (FWIW, I've made this point before:
Perhaps it's worth starting a separate thread for that discussion?
And perhaps it's worth reviewing
from last year's Real World Crypto as well?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public