On 18/11/16 01:43, Brian Smith wrote: > The fundamental problem is that web browsers accept certificates with > validity periods that are years long. If you want to have the agility to > fix things with an N month turnaround, reject certificates that are valid > for more than N months.
That's all very well to say. The CAB Forum is deadlocked over a proposal to reduce the max validity of everything to 2 years + 3 months; some people like it because it removes a disadvantage of EV (which already has this limit), other's don't like it because people like not having to change their cert and are willing to pay for longer. Mozilla is in support, but without agreement, we can hardly implement unilaterally - the breakage would be vast. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
