[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
rob.stradling at comodo.com
Wed Feb 8 10:23:20 UTC 2017
On 08/02/17 01:06, Eric Mill wrote:
> On Tue, Feb 7, 2017 at 5:09 AM, Rob Stradling wrote:
> On 07/02/17 03:34, Eric Mill via Public wrote:
> * No, not really. Expired certificates let you
> click-through while
> revoked certificates are a hard fail, the way it should be (per Rob)
> I don't think this (or Rob's original comment) are accurate as
> *If* revocation messages are presented, Firefox disallows
> Hi Eric. I thought I'd captured that "*If*" in my original
> comment. :-)
> Apologies, you are right. What I was disagreeing with was the comment
> categorizing Firefox's behavior with revoked certificates as "hard
> fail", and I misremembered your comments on CABF and m.d.s.p as having
> also used the term.
Hi Eric. I probably have used the term "hard fail" inconsistently on
various occasions. ;-)
I think (when I'm managing to be consistent :-) ) that revocation
checking "hard fails" when the user agent warns the user that it was
unable to obtain certificate status information.
Whether or not the user agent permits the user to click through a hard
fail warning, or a warning that the cert has expired, or a warning that
the cert is known to be revoked, are all separate issues.
> -- Eric
> I talked about "known revoked certs" - that is, certs that the user
> agent knows to be revoked (which is likely to only be a subset of
> the certs that the CA has actually revoked).
> My point was simply that "known revoked certs" and expired certs
> should ideally be treated the same way. My proposal was "Browsers
> shouldn't allow it to be bypassed" for both cases, but Ryan's
> is persuasive.
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public