On Wed, Nov 11, 2009 at 7:25 AM, Bil Corry <b...@corry.biz> wrote: > Would LockCA prevent the site from loading if it encountered a new cert from > the same CA?
My understanding is that it would not. > Or are you talking about a site that wants to switch CAs and is using LockCA? I think Gervase means that you want some overlap so that folks that connect to your site the day after you renew your certificate are protected. > How about instead there's a way to set the max-age relative to the cert > expiration? So -3024000 is two weeks before the cert expiration and 3024000 > is two weeks after. I'm in agreement with Devdatta that it would be easy for > someone to lock out their visitors, and I think this is easier to implement. That seems overly complicated and contrary to the semantics of max-age in other HTTP headers. I'm not convinced we need to paternally second-guess site operators. Keep in mind that the site operator can supply a lower max-age in a subsequent request if they realize they screwed up and want to reduce the duration. That said, it might be worth caping the max-age at one or two years. Adam