On 05/09/14 01:32, Phillip Hallam-Baker wrote: > The point I am trying to get across here is that there are very few > good reasons for an end user sticking to an obsolete browser and > almost all would upgrade given the choice. This is not the case for > servers and there are lots of folk who will complain if they are > forced to upgrade their server because that might require them to > change their PHP version which in turn requires them to completely > rework a ton of spaghetti code piled on top.
Why would anyone ever be forced to upgrade their server? No-one is suggesting that browsers _only_ support short-lived certs! > It can be dropped as far as security is concerned. But that is only > going to save a few bytes and might cause legacy issues. So why make > being allowed to drop it a major concern at this point? The reason for dropping it is to save the N hundred milliseconds (sometimes much more, if network is bad or server is down) that you have to wait before you can actually go on and request data and display it to the user. This is the big advantage of no-AIA. It's not the miniscule cert size saving. >> This is something you should nail down before 1 or 2. > > OK, if I have to nail it down I will pick 1. Great :-) > I don't see the need to gate on policy changes. What do you think > stops me issuing a 72 hour certificate today? I can't think of > anything. Nothing, but they are no advantage to anyone unless you can also omit the revocation pointers. Which is currently not permitted, hence this discussion. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
