Hi Yaron, Best I can tell, everyone has jumped onto solving a cool problem, without there actually being any reason to solve it?
I asked about the use case, and CDN authority revocation was all I got (imho a really *weak* reason). Maybe I got it wrong? What *exactly* is a use case for short-term certificates? What about HSTS/HPKP? Why would *any* expired short-term certificate be useful? Practically no ordinary user cares about bad certs - heck - iPhone users don't even have a way to check a cert even if they wanted to. Kind Regards, Chris Drake Friday, July 22, 2016, 8:38:23 PM, you wrote: YS> On 21/07/16 12:03, Chris Drake wrote: >> Hi Yaron, >> >> The premise seems wrong: >>> These certificates allow the domain owner to terminate the TLS server's >>> authorization when necessary, >> >> What that is technically true, it does not facilitate the *purpose* of >> the termination (which would be to prevent continued CDN content >> distribution) - clients can simply ignore the "expired certificate" >> problem and still get the content. >> >> Trying to build a kludge to use certificates where session keys should >> be used instead seems a bad-idea(tm) to me. >> >> Kind Regards, >> Chris Drake >> YS> Hi Chris, YS> I am not following your reasoning: the CDN can *always* distribute YS> content under a fake or self-signed certificate, even if we have YS> real-time termination of its session keys. After all, it (usually) has a YS> full copy of the content! YS> Or are you saying that clients behave differently for expired vs. YS> self-signed certs? I am not sure that this is the case. YS> Thanks, YS> Yaron
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
