On 12/11/09 09:08, Adam Barth wrote: > On Wed, Nov 11, 2009 at 7:25 AM, Bil Corry <b...@corry.biz> wrote: >> Would LockCA prevent the site from loading if it encountered a new cert from >> the same CA? > > My understanding is that it would not. > >> Or are you talking about a site that wants to switch CAs and is using >> LockCA? > > I think Gervase means that you want some overlap so that folks that > connect to your site the day after you renew your certificate are > protected. > >> How about instead there's a way to set the max-age relative to the cert >> expiration? So -3024000 is two weeks before the cert expiration and 3024000 >> is two weeks after. I'm in agreement with Devdatta that it would be easy >> for someone to lock out their visitors, and I think this is easier to >> implement. > > That seems overly complicated and contrary to the semantics of max-age > in other HTTP headers. > > I'm not convinced we need to paternally second-guess site operators. > Keep in mind that the site operator can supply a lower max-age in a > subsequent request if they realize they screwed up and want to reduce > the duration.
Except that some clients may not come back to see the lower max-age. Then, they make their first revisit after the lower max-age has expired and before the higher one has expired, and the site has changed its site, and boom. > That said, it might be worth caping the max-age at one > or two years. A 1-year cap is probably wise. Gerv