On 05/09/14 10:55, Gervase Markham wrote:
On 05/09/14 10:47, Rob Stradling wrote:
<snip>
If the false positive rate drops to near-zero by 3 months after expiry,
then I think that could work. However, it would need to work equally
well for both long-lived certs and short-lived certs. Therefore,
short-lived certs would still need to provide revocation info, even if
the browser only uses that revocation info if it encounters the
short-lived cert after its expiry date.
Short-lived certs have different characteristics here, because if
someone is deploying them, we know that they have the infrastructure to
rotate certs quickly. It's not going to be some admin forgetting a
yearly renewal. So I think that we would leave revocation info out of
short-lived certs, but we would switch to Secure Connection Failed after
hours or a day rather than 3 months. Or even go straight there.
OK. That would work. :-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
